package com.ibm.ws.wscoor;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.websphere.security.auth.WSSecurityContext;
import com.ibm.websphere.security.auth.WSSecurityContextException;
import com.ibm.websphere.security.auth.WSSecurityContextResult;
import com.ibm.websphere.wsaddressing.ReferenceParameterCreationException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.role.RoleBasedAppException;
import com.ibm.ws.security.role.RoleBasedAuthorizer;
import com.ibm.ws.security.role.RoleBasedConfiguratorNullImpl;
import com.ibm.ws.security.service.SecurityService;
import com.ibm.ws.security.service.SecurityServiceEvent;
import com.ibm.ws.security.service.SecurityServiceListener;
import com.ibm.ws.security.util.Constants;
import com.ibm.ws.util.Base64;
import com.ibm.wsspi.runtime.config.ConfigObject;
import com.ibm.wsspi.runtime.service.WsServiceRegistry;
import com.ibm.wsspi.wsaddressing.EndpointReference;
import java.rmi.RemoteException;
import java.security.PrivilegedExceptionAction;
import java.util.List;
import org.omg.CORBA.NO_PERMISSION;

/* loaded from: input_file:com/ibm/ws/wscoor/ProtocolSecurityHelper.class */
public final class ProtocolSecurityHelper implements SecurityServiceListener {
    private static ProtocolSecurityHelper _instance;
    private static RoleBasedAuthorizer _roleBasedAuthorizer;
    private static SecurityService _securityService;
    private static WSSecurityContext _securityContext;
    private static String _defaultRealm;
    private static boolean _disableProtocolSecurity;
    private static final int DEFAULT_AUTH_FAILURE_MESSAGE_INTERVAL = 10;
    public static final String AUTH_FAILURE_MESSAGE_INTERVAL = "AUTH_FAILURE_MESSAGE_INTERVAL";
    private static int _authFailureCount;
    private static final TraceComponent tc = Tr.register((Class<?>) ProtocolSecurityHelper.class, WSCoorConstants.TRACE_GROUP, WSCoorConstants.TX_NLS_FILE);
    private static final TraceComponent tc1 = Tr.register((Class<?>) ProtocolSecurityHelper.class, WSCoorConstants.TX_TRACE_GROUP, WSCoorConstants.TX_NLS_FILE);
    private static int _authFailureMessageInterval = 10;

    public static void initialize(ConfigObject configObject) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc1.isEntryEnabled()) {
            Tr.entry(tc1, "initialize", configObject);
        }
        if (_instance == null) {
            _instance = new ProtocolSecurityHelper(configObject);
        }
        if (isAnyTracingEnabled && tc1.isEntryEnabled()) {
            Tr.exit(tc1, "initialize");
        }
    }

    private ProtocolSecurityHelper(ConfigObject configObject) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "ProtocolSecurityHelper", configObject);
        }
        try {
            _disableProtocolSecurity = !configObject.getBoolean("enableProtocolSecurity", true);
            try {
                _roleBasedAuthorizer = new RoleBasedConfiguratorNullImpl().getRoleBasedAuthorizer(null, null);
            } catch (RoleBasedAppException e) {
                FFDCFilter.processException(e, "com.ibm.ws.wscoor.ProtocolSecurityHelper.ProtocolSecurityHelper", "102", this);
            }
            _securityService = (SecurityService) WsServiceRegistry.getService(this, SecurityService.class);
            if (!_disableProtocolSecurity) {
                _securityService.addListener(this);
            }
            List<ConfigObject> objectList = configObject.getObjectList("properties");
            if (objectList != null && !objectList.isEmpty()) {
                for (ConfigObject configObject2 : objectList) {
                    try {
                        String string = configObject2.getString("name", null);
                        String string2 = configObject2.getString("value", null);
                        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                            Tr.debug(tc, "Property name is " + string);
                            Tr.debug(tc, "Property value is " + string2);
                        }
                        if (AUTH_FAILURE_MESSAGE_INTERVAL.equalsIgnoreCase(string)) {
                            _authFailureMessageInterval = Integer.parseInt(string2);
                        }
                    } catch (Throwable th) {
                        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                            Tr.debug(tc, "Unable to decode wscoor service custom property. Check the format", th);
                        }
                    }
                }
            }
            if (_authFailureMessageInterval < 1) {
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Resetting AUTH_FAILURE_MESSAGE_INTERVAL to 10");
                }
                _authFailureMessageInterval = 10;
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wscoor.ProtocolSecurityHelper.ProtocolSecurityHelper", "54", this);
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "ProtocolSecurityHelper", this);
        }
    }

    @Override // com.ibm.ws.security.service.SecurityServiceListener
    public void stateChanged(SecurityServiceEvent securityServiceEvent) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc1.isEntryEnabled()) {
            Tr.entry(tc1, "stateChanged", new Object[]{securityServiceEvent, this});
        }
        if (securityServiceEvent.getState() == 1) {
            _securityContext = _securityService.getWSSecurityContext();
            _defaultRealm = ContextManagerFactory.getInstance().getDefaultRealm();
            try {
                _roleBasedAuthorizer = _securityService.getConfigurator().getRoleBasedAuthorizer(Constants.ADMIN_APP, null);
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Proper RoleBasedAuthorizer now in use", _roleBasedAuthorizer);
                }
            } catch (RoleBasedAppException e) {
                FFDCFilter.processException(e, "com.ibm.ws.wscoor.ProtocolSecurityHelper.stateChanged", "85", this);
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "stateChanged", e);
                }
                try {
                    _roleBasedAuthorizer = new RoleBasedConfiguratorNullImpl().getRoleBasedAuthorizer(null, null);
                } catch (RoleBasedAppException e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.wscoor.ProtocolSecurityHelper.stateChanged", "94", this);
                    if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                        Tr.debug(tc, "stateChanged", e2);
                    }
                }
            }
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "stateChanged");
        }
    }

    public static void checkAuthorization() throws NO_PERMISSION {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "checkAuthorization");
        }
        if (authorized()) {
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.exit(tc, "checkAuthorization");
                return;
            }
            return;
        }
        reportAuthFailure();
        NO_PERMISSION no_permission = new NO_PERMISSION();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "checkAuthorization", no_permission);
        }
        throw no_permission;
    }

    private static boolean authorized() {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "authorized");
        }
        boolean isCallerInRole = _roleBasedAuthorizer.isCallerInRole(Constants.ADMIN_ROLE);
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "authorized", Boolean.valueOf(isCallerInRole));
        }
        return isCallerInRole;
    }

    public static WSSecurityContext getSecurityContext() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getSecurityContext", _securityContext);
        }
        return _securityContext;
    }

    public static String getDefaultRealm() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getDefaultRealm", _defaultRealm);
        }
        return _defaultRealm;
    }

    public static boolean isEnforceProtocolSecurity() {
        boolean z = WSSecurityHelper.isGlobalSecurityEnabled() && !_disableProtocolSecurity;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isEnforceProtocolSecurity", Boolean.valueOf(z));
        }
        return z;
    }

    public static void checkAuthorization(EndpointReference endpointReference) throws RemoteException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "checkAuthorization", endpointReference);
        }
        if (authorized(endpointReference)) {
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.exit(tc, "checkAuthorization");
                return;
            }
            return;
        }
        reportAuthFailure();
        RemoteException remoteException = new RemoteException("unauthorized");
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "checkAuthorization", remoteException);
        }
        throw remoteException;
    }

    private static boolean authorized(EndpointReference endpointReference) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "authorized", endpointReference);
        }
        WSSecurityContext securityContext = getSecurityContext();
        if (securityContext == null) {
            if (!isAnyTracingEnabled || !tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "authorized", Boolean.TRUE);
            return true;
        }
        if (endpointReference != null) {
            String referenceParameter = endpointReference.getReferenceParameter(WSCoorConstants.PROPER_SECURITY_ELEMENT_QNAME);
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, WSCoorConstants.SECURITY_ELEMENT_STRING, referenceParameter);
            }
            if (referenceParameter == null) {
                referenceParameter = endpointReference.getReferenceParameter(WSCoorConstants.SECURITY_ELEMENT_QNAME);
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, WSCoorConstants.SECURITY_ELEMENT_STRING, referenceParameter);
                }
            }
            if (referenceParameter != null) {
                byte[] decode = Base64.decode(referenceParameter);
                try {
                    try {
                        securityContext.acceptSecContext(decode);
                        WSSecurityContextResult acceptSecContext = securityContext.acceptSecContext(decode);
                        if (acceptSecContext != null) {
                            Boolean bool = (Boolean) ContextManagerFactory.getInstance().runAsSpecified(acceptSecContext.getSubject(), new PrivilegedExceptionAction() { // from class: com.ibm.ws.wscoor.ProtocolSecurityHelper.1
                                @Override // java.security.PrivilegedExceptionAction
                                public Object run() {
                                    return Boolean.valueOf(ProtocolSecurityHelper.access$000());
                                }
                            });
                            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                                Tr.exit(tc, "authorized", bool);
                            }
                            boolean booleanValue = bool.booleanValue();
                            try {
                                securityContext.dispose();
                                return booleanValue;
                            } catch (WSSecurityContextException e) {
                                FFDCFilter.processException(e, "com.ibm.ws.wscoor.ProtocolSecurityHelper.authorized", "262");
                                if (!isAnyTracingEnabled || !tc.isEntryEnabled()) {
                                    return false;
                                }
                                Tr.exit(tc, "authorized", Boolean.FALSE);
                                return false;
                            }
                        }
                        try {
                            securityContext.dispose();
                        } catch (WSSecurityContextException e2) {
                            FFDCFilter.processException(e2, "com.ibm.ws.wscoor.ProtocolSecurityHelper.authorized", "262");
                            if (!isAnyTracingEnabled || !tc.isEntryEnabled()) {
                                return false;
                            }
                            Tr.exit(tc, "authorized", Boolean.FALSE);
                            return false;
                        }
                    } catch (Exception e3) {
                        FFDCFilter.processException(e3, "com.ibm.ws.wscoor.ProtocolSecurityHelper.authorized", "251");
                        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                            Tr.debug(tc, "authorized", e3);
                        }
                        try {
                            securityContext.dispose();
                        } catch (WSSecurityContextException e4) {
                            FFDCFilter.processException(e4, "com.ibm.ws.wscoor.ProtocolSecurityHelper.authorized", "262");
                            if (!isAnyTracingEnabled || !tc.isEntryEnabled()) {
                                return false;
                            }
                            Tr.exit(tc, "authorized", Boolean.FALSE);
                            return false;
                        }
                    }
                } catch (Throwable th) {
                    try {
                        securityContext.dispose();
                        throw th;
                    } catch (WSSecurityContextException e5) {
                        FFDCFilter.processException(e5, "com.ibm.ws.wscoor.ProtocolSecurityHelper.authorized", "262");
                        if (!isAnyTracingEnabled || !tc.isEntryEnabled()) {
                            return false;
                        }
                        Tr.exit(tc, "authorized", Boolean.FALSE);
                        return false;
                    }
                }
            }
        }
        if (!isAnyTracingEnabled || !tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "authorized", Boolean.FALSE);
        return false;
    }

    public static void makeEPRSecure(String str, EndpointReference endpointReference) throws ReferenceParameterCreationException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc1.isEntryEnabled()) {
            Tr.entry(tc1, "makeEPRSecure", new Object[]{str, endpointReference});
        }
        String securityToken = getSecurityToken(str);
        if (securityToken != null) {
            endpointReference.setReferenceParameter(WSCoorConstants.PROPER_SECURITY_ELEMENT_QNAME, securityToken);
            endpointReference.setReferenceParameter(WSCoorConstants.SECURITY_ELEMENT_QNAME, securityToken);
        }
        if (isAnyTracingEnabled && tc1.isEntryEnabled()) {
            Tr.exit(tc1, "makeEPRSecure");
        }
    }

    private static String getSecurityToken(String str) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "getSecurityToken", str);
        }
        WSSecurityContext securityContext = getSecurityContext();
        if (securityContext == null) {
            if (!isAnyTracingEnabled || !tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getSecurityToken", null);
            return null;
        }
        try {
            String encode = Base64.encode(securityContext.initSecContext(ContextManagerFactory.getInstance().getServerSubject(), str, getDefaultRealm()));
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.exit(tc, "getSecurityToken", encode);
            }
            return encode;
        } catch (WSSecurityException e) {
            FFDCFilter.processException(e, "com.ibm.ws.wscoor.ProtocolSecurityHelper.getSecurityToken", "363");
            if (!isAnyTracingEnabled || !tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getSecurityToken", e);
            return null;
        }
    }

    public static void reportAuthFailure() {
        int i = _authFailureCount;
        _authFailureCount = i + 1;
        if (i % _authFailureMessageInterval == 0) {
            Tr.warning(tc, "WTRN0119_UNAUTHORIZED_PROTOCOL_MSG_COUNT", Integer.valueOf(_authFailureCount));
        }
    }

    static /* synthetic */ boolean access$000() {
        return authorized();
    }
}
