package com.ibm.ws.wim.security.authz.jacc;

import com.ibm.sec.auth.subjectx.SubjectAttributes;
import com.ibm.sec.auth.subjectx.VirtualPrincipal;
import com.ibm.sec.authz.jaccx.DefaultEvaluationContext;
import com.ibm.sec.authz.jaccx.EvaluationContext;
import com.ibm.sec.authz.jaccx.condition.AttributeName;
import com.ibm.sec.authz.jaccx.condition.RequestContext;
import com.ibm.sec.authz.jaccx.resource.Resource;
import com.ibm.sec.authz.jaccx.resource.ResourceContext;
import com.ibm.sec.authz.jaccx.role.RoleAssignmentCondition;
import com.ibm.sec.authz.jaccx.role.RoleCondition;
import com.ibm.sec.authz.jaccx.role.RoleMapping;
import com.ibm.sec.authz.jaccx.role.RoleMappingConfigurationFactory;
import com.ibm.sec.authz.jaccx.role.RoleMappingContext;
import com.ibm.sec.authz.provider.CommonAuthzPolicy;
import com.ibm.sec.authz.provider.CommonAuthzPolicyConfigurationFactory;
import com.ibm.sec.authz.provider.CommonAuthzRoleMapping;
import com.ibm.sec.authz.provider.CommonAuthzRoleMappingConfigurationFactory;
import com.ibm.sec.authz.provider.MethodPermission;
import com.ibm.sec.authz.provider.config.CommonAuthzConfiguration;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.websphere.wim.copyright.IBMCopyright;
import com.ibm.websphere.wim.exception.WIMException;
import com.ibm.websphere.wim.ras.WIMLogger;
import com.ibm.websphere.wim.security.authz.AuthSystemException;
import com.ibm.websphere.wim.security.authz.Entitlement;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.wim.security.authz.AccessHandler;
import com.ibm.ws.wim.security.authz.EntitlementHelper;
import com.ibm.ws.wim.security.authz.MessageKeys;
import java.security.AccessController;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Properties;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContextException;

/* loaded from: input_file:com/ibm/ws/wim/security/authz/jacc/JACCSecurityManager.class */
public class JACCSecurityManager {
    public static final String AUTHZ_HOME_DIR = "commonauthz.home";
    public static final String JACC_SUBJECT_KEY = "javax.security.auth.Subject.container";
    public static final String REQUEST_PREFIX = "com.ibm.websphere.wim.Context.";
    public static final String SUBJECT_PREFIX = "com.ibm.websphere.wim.Subject.";
    public static final String RESOURCE_PREFIX = "com.ibm.websphere.wim.Entity.";
    public static final String ATTRVALUE_NON_APPLICABLE = "$NON-APPLICABLE$";
    private Properties authzProps;
    private Object policy;
    private Object roleMapping;
    private Object policyConfigFactory;
    private Object roleMappingConfigFactory;
    private String policyContextId;
    private String appContextId;
    private RequestContext requestContext;
    private SubjectAttributes subjectAttributes;
    private ResourceContext resourceContext;
    private AccessHandler accessHandler;
    private Subject superUserSubject = new Subject();
    static final String COPYRIGHT_NOTICE = IBMCopyright.COPYRIGHT_NOTICE_LONG_2005_2010;
    private static final String CLASSNAME = JACCSecurityManager.class.getName();
    private static final Logger msgLogger = WIMLogger.getMessageLogger(MessageKeys.PACKAGE_NAME);
    private static final Logger trcLogger = WIMLogger.getTraceLogger(MessageKeys.PACKAGE_NAME);
    private static ThreadLocal runAsSubject = new ThreadLocal();

    public JACCSecurityManager() {
        trcLogger.entering(CLASSNAME, "JACCSecurityManager()");
        trcLogger.exiting(CLASSNAME, "JACCSecurityManager()");
    }

    public JACCSecurityManager(String str, String str2, String str3, String str4, String str5) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "JACCSecurityManager(...)");
        if (str5 == null) {
            try {
                str5 = System.getProperty(AUTHZ_HOME_DIR);
            } catch (Exception e) {
                throw new AuthSystemException("AUTH_INIT_FAILURE", e, Level.SEVERE);
            }
        }
        trcLogger.log(Level.FINER, "Loading Argus config settings...");
        this.authzProps = new CommonAuthzConfiguration(str5).getProperties();
        trcLogger.log(Level.FINER, "Initializing Argus Policy classes...");
        this.policy = new CommonAuthzPolicy(this.authzProps);
        this.policyConfigFactory = new CommonAuthzPolicyConfigurationFactory(this.authzProps);
        trcLogger.log(Level.FINER, "Initializing Argus RoleMapping classes...");
        this.roleMapping = new CommonAuthzRoleMapping(this.authzProps);
        this.roleMappingConfigFactory = new CommonAuthzRoleMappingConfigurationFactory(this.authzProps);
        trcLogger.exiting(CLASSNAME, "JACCSecurityManager(...)");
    }

    public void registerPolicy(String str, String str2, AccessHandler accessHandler) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "registerPolicy()");
        try {
            this.policyContextId = str;
            this.appContextId = str2;
            this.accessHandler = accessHandler;
            refreshPolicy();
            createContextHandlers();
            trcLogger.exiting(CLASSNAME, "registerPolicy()");
        } catch (Exception e) {
            throw new AuthSystemException("AUTH_INIT_FAILURE", e, Level.SEVERE);
        }
    }

    public void refreshPolicy() {
        trcLogger.entering(CLASSNAME, "refreshPolicy()");
        getPolicy().refresh();
        getRoleMapping().refresh();
        trcLogger.exiting(CLASSNAME, "refreshPolicy()");
    }

    private String getSubjectName(Subject subject) {
        return this.accessHandler.getSubjectPrincipal(subject).getName();
    }

    private Subject getServerSubject() throws WSSecurityException {
        return ContextManagerFactory.getInstance().getServerSubject();
    }

    private boolean isCallerServerSubject(Subject subject, Subject subject2) throws CredentialDestroyedException, CredentialExpiredException {
        trcLogger.entering(CLASSNAME, "isCallerServerSubject()");
        boolean z = false;
        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
        WSCredential wSCredentialFromSubject2 = SubjectHelper.getWSCredentialFromSubject(subject2);
        if (wSCredentialFromSubject2 != null && wSCredentialFromSubject2.isCurrent() && wSCredentialFromSubject != null && !wSCredentialFromSubject.isUnauthenticated() && wSCredentialFromSubject.isCurrent()) {
            String realmUniqueSecurityName = wSCredentialFromSubject.getRealmUniqueSecurityName();
            String realmUniqueSecurityName2 = wSCredentialFromSubject2.getRealmUniqueSecurityName();
            if (realmUniqueSecurityName != null && realmUniqueSecurityName.equals(realmUniqueSecurityName2)) {
                z = true;
            }
        }
        trcLogger.exiting(CLASSNAME, "isCallerServerSubject()");
        return z;
    }

    private boolean isCallerAdministrator(final Subject subject) throws WSSecurityException {
        trcLogger.entering(CLASSNAME, "isCallerAdministrator()");
        try {
            boolean booleanValue = ((Boolean) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wim.security.authz.jacc.JACCSecurityManager.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws WSSecurityException {
                    return Boolean.valueOf(ContextManagerFactory.getInstance().isGrantedAdminRole(new String[]{"administrator"}, subject));
                }
            })).booleanValue();
            trcLogger.exiting(CLASSNAME, "isCallerAdministrator()");
            return booleanValue;
        } catch (PrivilegedActionException e) {
            throw e.getException();
        }
    }

    public boolean isServerSecurityEnabled() {
        ContextManager contextManagerFactory;
        boolean z;
        trcLogger.entering(CLASSNAME, "isServerSecurityEnabled()");
        boolean z2 = true;
        try {
            contextManagerFactory = ContextManagerFactory.getInstance();
        } catch (Exception e) {
            trcLogger.log(Level.FINE, e.getMessage(), (Throwable) e);
        }
        if (contextManagerFactory.getServerSubject() != null) {
            if (contextManagerFactory.isServerSubjectCreated()) {
                z = true;
                z2 = z;
                trcLogger.exiting(CLASSNAME, "isServerSecurityEnabled() - " + z2);
                return z2;
            }
        }
        z = false;
        z2 = z;
        trcLogger.exiting(CLASSNAME, "isServerSecurityEnabled() - " + z2);
        return z2;
    }

    public boolean isSuperUser(Subject subject) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "isSuperUser()");
        boolean equals = this.superUserSubject.equals(runAsSubject.get());
        try {
            if (isServerSecurityEnabled()) {
                boolean isCallerAdministrator = isCallerAdministrator(subject);
                equals = isCallerAdministrator;
                if (isCallerAdministrator) {
                    trcLogger.log(Level.FINER, MessageKeys.TRC_IS_WAS_ADMIN);
                } else {
                    trcLogger.log(Level.FINER, MessageKeys.TRC_IS_NOT_WAS_ADMIN);
                }
            }
        } catch (Exception e) {
            throw new AuthSystemException("AUTH_CHECK_FAILURE", new Object[]{getSubjectName(subject)}, e, Level.SEVERE);
        } catch (WSSecurityException e2) {
            trcLogger.log(Level.FINE, "Skipping administrator role check: " + e2.getMessage());
        }
        if (equals) {
            trcLogger.log(Level.FINER, MessageKeys.TRC_IS_SUPER_USER);
        }
        trcLogger.exiting(CLASSNAME, "isSuperUser()");
        return equals;
    }

    public Object runAsSuperUser(PrivilegedExceptionAction privilegedExceptionAction) throws PrivilegedActionException {
        Object run;
        trcLogger.entering(CLASSNAME, "runAsSuperUser()");
        Subject subject = (Subject) runAsSubject.get();
        runAsSubject.set(this.superUserSubject);
        try {
            if (isServerSecurityEnabled()) {
                run = ContextManagerFactory.getInstance().runAsSystem(privilegedExceptionAction);
            } else {
                try {
                    run = privilegedExceptionAction.run();
                } catch (Exception e) {
                    throw new PrivilegedActionException(e);
                }
            }
            runAsSubject.set(subject);
            trcLogger.exiting(CLASSNAME, "runAsSuperUser()");
            return run;
        } catch (Throwable th) {
            runAsSubject.set(subject);
            throw th;
        }
    }

    public Set getRoles(Subject subject, Resource resource) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "getRoles()");
        HashSet hashSet = new HashSet();
        try {
            Iterator roles = getRoleMapping().getRoles(getRoleMappingContext(), createEvaluationContext(subject, resource));
            while (roles.hasNext()) {
                hashSet.add(roles.next());
            }
            trcLogger.exiting(CLASSNAME, "getRoles()");
            return hashSet;
        } catch (Exception e) {
            throw new AuthSystemException("AUTH_CHECK_FAILURE", new Object[]{getSubjectName(subject)}, e, Level.SEVERE);
        }
    }

    public Set getRoles(Subject subject) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "getRoles(subject)");
        HashSet hashSet = new HashSet();
        try {
            Set subjectGroups = this.accessHandler.getSubjectGroups(subject);
            subjectGroups.add(this.accessHandler.getSubjectPrincipal(subject));
            subjectGroups.add(VirtualPrincipal.AllAuthenticatedUsers);
            Iterator it = subjectGroups.iterator();
            while (it.hasNext()) {
                Iterator roleConditions = getRoleMapping().getRoleConditions(getRoleMappingContext(), (Principal) it.next());
                while (roleConditions.hasNext()) {
                    RoleCondition roleCondition = (RoleCondition) roleConditions.next();
                    if (roleCondition instanceof RoleAssignmentCondition) {
                        hashSet.add(roleCondition.getRole());
                    }
                }
            }
            trcLogger.exiting(CLASSNAME, "getRoles(subject)", hashSet);
            return hashSet;
        } catch (Exception e) {
            throw new AuthSystemException("AUTH_CHECK_FAILURE", new Object[]{getSubjectName(subject)}, e, Level.SEVERE);
        }
    }

    public boolean doesEntitlementExist(Subject subject, Resource resource, Entitlement entitlement) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "doesEntitlementExist()");
        try {
            boolean hasPermissionAtOrUnderneath = getRoleMapping().hasPermissionAtOrUnderneath(this.policyContextId, createEvaluationContext(subject, resource), EntitlementHelper.getMethodPermission(entitlement));
            trcLogger.exiting(CLASSNAME, "doesEntitlementExist()");
            return hasPermissionAtOrUnderneath;
        } catch (Exception e) {
            throw new AuthSystemException("AUTH_CHECK_FAILURE", new Object[]{getSubjectName(subject)}, e, Level.SEVERE);
        }
    }

    public boolean hasEntitlement(final Subject subject, Resource resource, final Entitlement entitlement) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "hasEntitlement()");
        try {
            if (isSuperUser(subject)) {
                trcLogger.exiting(CLASSNAME, "hasEntitlement()");
                return true;
            }
            final EvaluationContext createEvaluationContext = createEvaluationContext(subject, resource);
            boolean booleanValue = ((Boolean) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.wim.security.authz.jacc.JACCSecurityManager.2
                @Override // java.security.PrivilegedAction
                public Object run() {
                    return Boolean.valueOf(JACCSecurityManager.this.getPolicy().implies(JACCSecurityManager.this.policyContextId, createEvaluationContext, new ProtectionDomain(null, null, null, new Principal[]{JACCSecurityManager.this.accessHandler.getSubjectPrincipal(subject)}), EntitlementHelper.getMethodPermission(entitlement)));
                }
            })).booleanValue();
            trcLogger.exiting(CLASSNAME, "hasEntitlement()");
            return booleanValue;
        } catch (Exception e) {
            throw new AuthSystemException("AUTH_CHECK_FAILURE", new Object[]{getSubjectName(subject)}, e, Level.SEVERE);
        }
    }

    public Set getEntitlements(Subject subject, Resource resource) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "getEntitlements()");
        HashSet hashSet = new HashSet();
        try {
            Enumeration<Permission> elements = getRoleMapping().getPermissions(this.policyContextId, createEvaluationContext(subject, resource)).elements();
            while (elements.hasMoreElements()) {
                MethodPermission methodPermission = (Permission) elements.nextElement();
                if (methodPermission instanceof MethodPermission) {
                    hashSet.add(EntitlementHelper.getEntitlement(methodPermission));
                }
            }
            trcLogger.exiting(CLASSNAME, "getEntitlements()");
            return hashSet;
        } catch (Exception e) {
            throw new AuthSystemException("AUTH_CHECK_FAILURE", new Object[]{getSubjectName(subject)}, e, Level.SEVERE);
        }
    }

    private void createContextHandlers() throws ClassNotFoundException, PolicyContextException {
        trcLogger.entering(CLASSNAME, "createContextHandlers()");
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        HashSet<AttributeName> hashSet4 = new HashSet();
        hashSet4.addAll(getPolicy().getReferencedAttributeNames(this.policyContextId));
        hashSet4.addAll(getRoleMapping().getReferencedAttributeNames(getRoleMappingContext()));
        for (AttributeName attributeName : hashSet4) {
            if (attributeName.getSource() == 2 && attributeName.getAttributeName().startsWith(REQUEST_PREFIX)) {
                hashSet.add(attributeName.getAttributeName());
            }
            if (attributeName.getSource() == 1 && attributeName.getAttributeName().startsWith(SUBJECT_PREFIX)) {
                hashSet2.add(attributeName.getAttributeName());
            }
            if (attributeName.getSource() == 3 && attributeName.getAttributeName().startsWith(RESOURCE_PREFIX)) {
                hashSet3.add(attributeName.getAttributeName());
            }
        }
        this.requestContext = new RequestContext();
        RequestContextHandlerImpl requestContextHandlerImpl = new RequestContextHandlerImpl(hashSet);
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            this.requestContext.registerHandler((String) it.next(), requestContextHandlerImpl, true);
        }
        hashSet2.add("user");
        hashSet2.add("group");
        this.subjectAttributes = new SubjectAttributes();
        SubjectAttributesHandlerImpl subjectAttributesHandlerImpl = new SubjectAttributesHandlerImpl(hashSet2, this.accessHandler);
        Iterator it2 = hashSet2.iterator();
        while (it2.hasNext()) {
            this.subjectAttributes.registerHandler((String) it2.next(), subjectAttributesHandlerImpl, true);
        }
        hashSet3.add("is-owner");
        this.resourceContext = new ResourceContext();
        ResourceContextHandlerImpl resourceContextHandlerImpl = new ResourceContextHandlerImpl(hashSet3, this.accessHandler);
        Iterator it3 = hashSet3.iterator();
        while (it3.hasNext()) {
            this.resourceContext.registerHandler((String) it3.next(), resourceContextHandlerImpl, true);
        }
        trcLogger.exiting(CLASSNAME, "createContextHandlers()");
    }

    private EvaluationContext createEvaluationContext(Subject subject, Resource resource) throws PolicyContextException {
        trcLogger.entering(CLASSNAME, "createEvaluationContext()");
        DefaultEvaluationContext defaultEvaluationContext = new DefaultEvaluationContext();
        PolicyContextHandlerImpl policyContextHandlerImpl = new PolicyContextHandlerImpl(subject, resource, this.requestContext, this.subjectAttributes, this.resourceContext);
        defaultEvaluationContext.registerHandler(JACC_SUBJECT_KEY, policyContextHandlerImpl, true);
        defaultEvaluationContext.registerHandler(Resource.JACC_RESOURCE_KEY, policyContextHandlerImpl, true);
        defaultEvaluationContext.registerHandler(RequestContext.JACC_REQUEST_CONTEXT_KEY, policyContextHandlerImpl, true);
        defaultEvaluationContext.registerHandler(SubjectAttributes.JACC_SUBJECT_ATTRIBUTES_KEY, policyContextHandlerImpl, true);
        defaultEvaluationContext.registerHandler(ResourceContext.JACC_RESOURCE_CONTEXT_KEY, policyContextHandlerImpl, true);
        this.requestContext.setHandlerData(this.accessHandler.getContextParameters(resource));
        this.accessHandler.clearThreadCache();
        trcLogger.exiting(CLASSNAME, "createEvaluationContext()");
        return defaultEvaluationContext;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Policy getPolicy() {
        return this.policy == null ? Policy.getPolicy() : (Policy) this.policy;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RoleMapping getRoleMapping() {
        return this.roleMapping == null ? RoleMapping.getRoleMapping() : (RoleMapping) this.roleMapping;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PolicyConfigurationFactory getPolicyConfigFactory() throws ClassNotFoundException, PolicyContextException {
        return this.policyConfigFactory == null ? PolicyConfigurationFactory.getPolicyConfigurationFactory() : (PolicyConfigurationFactory) this.policyConfigFactory;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RoleMappingConfigurationFactory getRoleMappingConfigFactory() throws PolicyContextException {
        return this.roleMappingConfigFactory == null ? RoleMappingConfigurationFactory.getRoleMappingConfigurationFactory() : (RoleMappingConfigurationFactory) this.roleMappingConfigFactory;
    }

    protected RoleMappingContext getRoleMappingContext() throws PolicyContextException, ClassNotFoundException {
        return getPolicy().getRoleMappingContext(this.policyContextId);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RoleMappingContext getRoleMappingContext(String str) throws PolicyContextException, ClassNotFoundException {
        return getPolicy().getRoleMappingContext(str);
    }

    public boolean isAdministrator(Subject subject) throws WIMException {
        Iterator it = getRoles(subject).iterator();
        while (it.hasNext()) {
            if (((String) it.next()).equals("IdMgrAdmin")) {
                return true;
            }
        }
        return false;
    }
}
