package com.ibm.ws.eba.bla.steps;

import com.ibm.websphere.management.AdminService;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.security.Result;
import com.ibm.ws.eba.bla.AriesStep;
import com.ibm.ws.eba.bla.ColumnAttribute;
import com.ibm.ws.eba.bla.PropertyRow;
import com.ibm.ws.eba.bla.PropertyTable;
import com.ibm.ws.eba.bla.util.EbaConstants;
import com.ibm.ws.eba.service.damping.AriesFacilitator;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.management.bla.util.UtilHelper;
import com.ibm.wsspi.aries.application.metadata.WASApplicationSecurityRoleMappingMetadata;
import com.ibm.wsspi.management.bla.op.OpExecutionException;
import com.ibm.wsspi.management.bla.op.compound.Phase;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.StringTokenizer;
import javax.management.InstanceNotFoundException;
import javax.management.MBeanException;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.QueryExp;
import javax.management.ReflectionException;

/* loaded from: input_file:com/ibm/ws/eba/bla/steps/MapRolesToUsersStep.class */
public class MapRolesToUsersStep extends AbstractMapSecurityRolesStep {
    private static final TraceComponent tc = Tr.register(MapRolesToUsersStep.class, EbaConstants._EBA_TRACE_GROUP, "com.ibm.ws.eba.bla.nls.Messages");
    public static final String SPECIAL_SUBJECTS = "specialSubjects";
    public static final String YES_KEY = "Yes";
    public static final String NO_KEY = "No";
    private static final String USERS_LOOKUP_METHOD = "getUsers";
    private static final String GROUPS_LOOKUP_METHOD = "getGroups";
    private static final String SKIP_VALIDATION = "com.ibm.ws.eba.bla.MapRolesToUsersStep.SkipValidation";

    public MapRolesToUsersStep(String str, Phase phase) {
        super(str, phase);
    }

    @Override // com.ibm.ws.eba.bla.AriesStep
    public List<ColumnAttribute> createColumnAttributes() {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "createColumnAttributes", new Object[0]);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new ColumnAttribute("role", ColumnAttribute.DataType.IMMUTABLE, ColumnAttribute.UserInput.OPTIONAL));
        arrayList.add(new ColumnAttribute("role.everyone", ColumnAttribute.DataType.MUTABLE, ColumnAttribute.UserInput.OPTIONAL));
        arrayList.add(new ColumnAttribute("role.all.auth.user", ColumnAttribute.DataType.MUTABLE, ColumnAttribute.UserInput.OPTIONAL));
        arrayList.add(new ColumnAttribute("role.user", ColumnAttribute.DataType.MUTABLE, ColumnAttribute.UserInput.OPTIONAL));
        arrayList.add(new ColumnAttribute("role.group", ColumnAttribute.DataType.MUTABLE, ColumnAttribute.UserInput.OPTIONAL));
        arrayList.add(new ColumnAttribute("role.all.auth.realms", ColumnAttribute.DataType.MUTABLE, ColumnAttribute.UserInput.OPTIONAL));
        arrayList.add(new ColumnAttribute("role.user.access.ids", ColumnAttribute.DataType.MUTABLE, ColumnAttribute.UserInput.OPTIONAL));
        arrayList.add(new ColumnAttribute("role.group.access.ids", ColumnAttribute.DataType.MUTABLE, ColumnAttribute.UserInput.OPTIONAL));
        arrayList.add(new ColumnAttribute(SPECIAL_SUBJECTS, ColumnAttribute.DataType.MUTABLE, ColumnAttribute.UserInput.OPTIONAL, ColumnAttribute.Visibility.HIDDEN));
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "createColumnAttributes", arrayList);
        }
        return arrayList;
    }

    @Override // com.ibm.ws.eba.bla.steps.AbstractMapSecurityRolesStep, com.ibm.ws.eba.bla.AriesStep
    public AriesStep.ValidationResult fullValidateTable(PropertyTable propertyTable) throws OpExecutionException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "fullValidateTable", new Object[]{propertyTable});
        }
        AriesStep.ValidationResult validationResult = AriesStep.ValidationResult.OK;
        try {
            validateTable(propertyTable);
            for (PropertyRow propertyRow : propertyTable.getImmutableRows()) {
                if (!(YES_KEY.equals(propertyRow.getCellValue("role.everyone")) | YES_KEY.equals(propertyRow.getCellValue("role.all.auth.user")) | YES_KEY.equals(propertyRow.getCellValue("role.all.auth.realms")) | (!"".equals(propertyRow.getCellValue("role.user"))) | (!"".equals(propertyRow.getCellValue("role.group"))) | (!"roles.subject.none".equals(propertyRow.getCellValue(SPECIAL_SUBJECTS))))) {
                    validationResult = AriesStep.ValidationResult.WARNING;
                }
            }
        } catch (OpExecutionException e) {
            validationResult = AriesStep.ValidationResult.ERROR;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "fullValidateTable", validationResult);
        }
        return validationResult;
    }

    @Override // com.ibm.ws.eba.bla.steps.AbstractMapSecurityRolesStep, com.ibm.ws.eba.bla.AriesStep
    public void validateTable(PropertyTable propertyTable) throws OpExecutionException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "validateTable", new Object[]{propertyTable});
        }
        if (!((Boolean) AccessController.doPrivileged(new PrivilegedAction<Boolean>() { // from class: com.ibm.ws.eba.bla.steps.MapRolesToUsersStep.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Boolean run() {
                return Boolean.valueOf(Boolean.getBoolean(MapRolesToUsersStep.SKIP_VALIDATION));
            }
        })).booleanValue()) {
            AdminService adminService = AriesFacilitator.getAdminService();
            String processName = adminService.getProcessName();
            if (!"Migration".equals(processName)) {
                try {
                    Iterator it = adminService.queryNames(new ObjectName("WebSphere:type=SecurityAdmin,process=" + processName + ",*"), (QueryExp) null).iterator();
                    if (it.hasNext()) {
                        ObjectName objectName = (ObjectName) it.next();
                        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found SecurityAdmin MBean, validating users and groups", new Object[0]);
                        }
                        List<PropertyRow> immutableRows = propertyTable.getImmutableRows();
                        Set<String> hashSet = new HashSet<>();
                        Set<String> hashSet2 = new HashSet<>();
                        for (PropertyRow propertyRow : immutableRows) {
                            Set<String> setFromString = getSetFromString(propertyRow.getCellValue("role.user"));
                            Set<String> setFromString2 = getSetFromString(propertyRow.getCellValue("role.group"));
                            if (!setFromString.isEmpty()) {
                                hashSet.addAll(setFromString);
                            }
                            if (!setFromString2.isEmpty()) {
                                hashSet2.addAll(setFromString2);
                            }
                        }
                        try {
                            HashSet hashSet3 = new HashSet(hashSet.size());
                            HashSet hashSet4 = new HashSet(hashSet2.size());
                            for (String str : hashSet) {
                                Result result = (Result) adminService.invoke(objectName, USERS_LOOKUP_METHOD, new Object[]{str, 1, null}, new String[]{"java.lang.String", "java.lang.Integer", "java.util.Properties"});
                                if (result != null && result.getList().size() == 1) {
                                    hashSet3.add(str);
                                }
                            }
                            hashSet.removeAll(hashSet3);
                            for (String str2 : hashSet2) {
                                Result result2 = (Result) adminService.invoke(objectName, GROUPS_LOOKUP_METHOD, new Object[]{str2, 1, null}, new String[]{"java.lang.String", "java.lang.Integer", "java.util.Properties"});
                                if (result2 != null && result2.getList().size() == 1) {
                                    hashSet4.add(str2);
                                }
                            }
                            hashSet2.removeAll(hashSet4);
                            OpExecutionException opExecutionException = hashSet.isEmpty() ? null : new OpExecutionException(getInvalidUserOrGroupMessage("INVALID_USER", hashSet));
                            if (opExecutionException == null && !hashSet2.isEmpty()) {
                                opExecutionException = new OpExecutionException(getInvalidUserOrGroupMessage("INVALID_GROUP", hashSet2));
                            }
                            if (opExecutionException != null) {
                                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                                    Tr.exit(tc, "validateTable", opExecutionException);
                                }
                                throw opExecutionException;
                            }
                        } catch (InstanceNotFoundException e) {
                            FFDCFilter.processException(e, MapRolesToUsersStep.class.getName(), "268", this);
                            OpExecutionException opExecutionException2 = new OpExecutionException(e);
                            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                                Tr.exit(tc, "validateTable", opExecutionException2);
                            }
                            throw opExecutionException2;
                        } catch (ReflectionException e2) {
                            FFDCFilter.processException(e2, MapRolesToUsersStep.class.getName(), "282", this);
                            OpExecutionException opExecutionException3 = new OpExecutionException(e2);
                            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                                Tr.exit(tc, "validateTable", opExecutionException3);
                            }
                            throw opExecutionException3;
                        } catch (MBeanException e3) {
                            FFDCFilter.processException(e3, MapRolesToUsersStep.class.getName(), "275", this);
                            OpExecutionException opExecutionException4 = new OpExecutionException(e3);
                            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                                Tr.exit(tc, "validateTable", opExecutionException4);
                            }
                            throw opExecutionException4;
                        }
                    } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "No SecurityAdmin MBean found", new Object[0]);
                    }
                } catch (NullPointerException e4) {
                    FFDCFilter.processException(e4, MapRolesToUsersStep.class.getName(), "205", this);
                    OpExecutionException opExecutionException5 = new OpExecutionException(e4);
                    if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                        Tr.exit(tc, "validateTable", opExecutionException5);
                    }
                    throw opExecutionException5;
                } catch (MalformedObjectNameException e5) {
                    FFDCFilter.processException(e5, MapRolesToUsersStep.class.getName(), "199", this);
                    OpExecutionException opExecutionException6 = new OpExecutionException(e5);
                    if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                        Tr.exit(tc, "validateTable", opExecutionException6);
                    }
                    throw opExecutionException6;
                }
            } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to Validate the table as we're running a Migration", new Object[0]);
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Skipping Validation of the table as per system property", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "validateTable");
        }
    }

    @Override // com.ibm.ws.eba.bla.steps.AbstractMapSecurityRolesStep
    public void processPropertyRows(PropertyTable propertyTable, WASApplicationSecurityRoleMappingMetadata wASApplicationSecurityRoleMappingMetadata) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "processPropertyRows", new Object[]{propertyTable, wASApplicationSecurityRoleMappingMetadata});
        }
        if (wASApplicationSecurityRoleMappingMetadata != null) {
            wASApplicationSecurityRoleMappingMetadata.clearRoleMappings();
            for (PropertyRow propertyRow : propertyTable.getImmutableRows()) {
                String cellValue = propertyRow.getCellValue("role");
                wASApplicationSecurityRoleMappingMetadata.mapUsersToApplicationRole(cellValue, getSetFromString(propertyRow.getCellValue("role.user")));
                wASApplicationSecurityRoleMappingMetadata.mapGroupsToApplicationRole(cellValue, getSetFromString(propertyRow.getCellValue("role.group")));
                String specialSubjectKey = getSpecialSubjectKey(propertyRow);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "special subject key to store", new Object[]{specialSubjectKey});
                }
                wASApplicationSecurityRoleMappingMetadata.mapSpecialSubjectToApplicationRole(cellValue, specialSubjectKey);
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Unable to process rows as metadata is null", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "processPropertyRows");
        }
    }

    @Override // com.ibm.ws.eba.bla.steps.AbstractMapSecurityRolesStep
    public List<PropertyRow> createPropertyRows(WASApplicationSecurityRoleMappingMetadata wASApplicationSecurityRoleMappingMetadata) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "createPropertyRows", new Object[]{wASApplicationSecurityRoleMappingMetadata});
        }
        ArrayList arrayList = new ArrayList();
        if (wASApplicationSecurityRoleMappingMetadata != null) {
            for (String str : wASApplicationSecurityRoleMappingMetadata.getAllApplicationRoles()) {
                PropertyRow propertyRow = new PropertyRow();
                propertyRow.setCellValue("role", str);
                propertyRow.setCellValue("role.everyone", NO_KEY);
                propertyRow.setCellValue("role.all.auth.user", NO_KEY);
                propertyRow.setCellValue("role.all.auth.realms", NO_KEY);
                String specialSubjectMappedToApplicationRole = wASApplicationSecurityRoleMappingMetadata.getSpecialSubjectMappedToApplicationRole(str);
                if (specialSubjectMappedToApplicationRole != null && specialSubjectMappedToApplicationRole.equals("roles.subject.Everyone")) {
                    propertyRow.setCellValue("role.everyone", YES_KEY);
                } else if (specialSubjectMappedToApplicationRole != null && specialSubjectMappedToApplicationRole.equals("roles.subject.AllAuthAppRealm")) {
                    propertyRow.setCellValue("role.all.auth.user", YES_KEY);
                } else if (specialSubjectMappedToApplicationRole != null && specialSubjectMappedToApplicationRole.equals("roles.subject.AllAuthTrustedRealms")) {
                    propertyRow.setCellValue("role.all.auth.realms", YES_KEY);
                }
                propertyRow.setCellValue("role.user", getStringFromSet(wASApplicationSecurityRoleMappingMetadata.getUsersMappedToApplicationRole(str)));
                propertyRow.setCellValue("role.group", getStringFromSet(wASApplicationSecurityRoleMappingMetadata.getGroupsMappedToApplicationRole(str)));
                propertyRow.setCellValue("role.user.access.ids", "");
                propertyRow.setCellValue("role.group.access.ids", "");
                propertyRow.setCellValue(SPECIAL_SUBJECTS, getSpecialSubjectKey(propertyRow));
                arrayList.add(propertyRow);
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Unable to process rows as metadata is null", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "createPropertyRows", arrayList);
        }
        return arrayList;
    }

    private String getSpecialSubjectKey(PropertyRow propertyRow) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "getSpecialSubjectKey", new Object[]{propertyRow});
        }
        String str = "roles.subject.none";
        if (propertyRow.getCellValue("role.everyone").equalsIgnoreCase(YES_KEY)) {
            str = "roles.subject.Everyone";
        } else if (propertyRow.getCellValue("role.all.auth.realms").equalsIgnoreCase(YES_KEY)) {
            str = "roles.subject.AllAuthTrustedRealms";
        } else if (propertyRow.getCellValue("role.all.auth.user").equalsIgnoreCase(YES_KEY)) {
            str = "roles.subject.AllAuthAppRealm";
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "getSpecialSubjectKey", str);
        }
        return str;
    }

    private Set<String> getSetFromString(String str) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "getSetFromString", new Object[]{str});
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str, "|");
        HashSet hashSet = new HashSet(stringTokenizer.countTokens());
        while (stringTokenizer.hasMoreTokens()) {
            hashSet.add(stringTokenizer.nextToken());
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "getSetFromString", hashSet);
        }
        return hashSet;
    }

    private String getStringFromSet(Set<String> set) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "getStringFromSet", new Object[]{set});
        }
        StringBuilder sb = new StringBuilder();
        for (String str : set) {
            if (sb.length() != 0) {
                sb.append("|");
            }
            sb.append(str);
        }
        String sb2 = sb.toString();
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "getStringFromSet", sb2);
        }
        return sb2;
    }

    private String getInvalidUserOrGroupMessage(String str, Set<String> set) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "getInvalidUserOrGroupMessage", new Object[]{str, set});
        }
        if (set.size() == 1) {
            String message = UtilHelper.getMessage(getMessagesBundle(), str, new Object[]{String.valueOf(set.iterator().next())});
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "getInvalidUserOrGroupMessage", message);
            }
            return message;
        }
        String message2 = UtilHelper.getMessage(getMessagesBundle(), str, new Object[]{set.toString()});
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "getInvalidUserOrGroupMessage", message2);
        }
        return message2;
    }
}
