package com.ibm.ws.wim.config;

import com.ibm.websphere.wim.ConfigConstants;
import com.ibm.websphere.wim.ServiceProvider;
import com.ibm.websphere.wim.copyright.IBMCopyright;
import com.ibm.websphere.wim.exception.EntityNotFoundException;
import com.ibm.websphere.wim.exception.WIMException;
import com.ibm.websphere.wim.ras.WIMLogger;
import com.ibm.websphere.wim.ras.WIMMessageHelper;
import com.ibm.websphere.wim.ras.WIMTraceHelper;
import com.ibm.ws.wim.ConfigManager;
import com.ibm.ws.wim.SchemaManager;
import com.ibm.ws.wim.security.authz.ProfileSecurityManager;
import com.ibm.ws.wim.security.authz.SDOHelper;
import com.ibm.ws.wim.security.authz.jacc.JACCPolicyDefinition;
import com.ibm.ws.wim.util.DataGraphHelper;
import com.ibm.ws.wim.util.DomainManagerUtils;
import com.ibm.ws.wim.util.UniqueNameHelper;
import commonj.sdo.DataObject;
import java.io.File;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/ibm/ws/wim/config/AuthzConfigCommandHelper.class */
public class AuthzConfigCommandHelper implements ConfigConstants {
    static final String SEARCH_PREFIX = "//entities[@xsi:type=";
    static final String SEARCH_PA_EXPR = "//entities[@xsi:type='PersonAccount' and uid='";
    static final String SEARCH_GROUP_EXPR = "//entities[@xsi:type='Group' and cn='";
    static final String COPYRIGHT_NOTICE = IBMCopyright.COPYRIGHT_NOTICE_LONG_2010;
    private static final String CLASSNAME = AuthzConfigCommandHelper.class.getName();
    private static final Logger trcLogger = WIMLogger.getTraceLogger(CLASSNAME);
    static List predefinedRoles = new ArrayList(5);

    public String mapGroupToRole(Map map) throws Exception {
        trcLogger.entering(CLASSNAME, "mapRoleToGroup", map);
        String str = (String) map.get("roleName");
        String str2 = (String) map.get("groupId");
        if (str2.equals("ALLAUTHENTICATED")) {
            str2 = "AllAuthenticatedUsers";
        }
        mapToORRemoveFromRole(str, str2, false, false);
        trcLogger.exiting(CLASSNAME, "mapRoleToGroup");
        return "COMMAND_COMPLETED_SUCCESSFULLY";
    }

    public String mapUserToRole(Map map) throws Exception {
        trcLogger.entering(CLASSNAME, "mapUserToRole", map);
        mapToORRemoveFromRole((String) map.get("roleName"), (String) map.get("userId"), true, false);
        trcLogger.exiting(CLASSNAME, "mapUserToRole");
        return "COMMAND_COMPLETED_SUCCESSFULLY";
    }

    public String removeGroupsFromRole(Map map) throws Exception {
        trcLogger.entering(CLASSNAME, "removeGroupsFromRole", map);
        String str = (String) map.get("roleName");
        String str2 = (String) map.get("groupId");
        if (str2.equals("ALLAUTHENTICATED")) {
            str2 = "AllAuthenticatedUsers";
        }
        mapToORRemoveFromRole(str, str2, false, true);
        trcLogger.exiting(CLASSNAME, "removeGroupsFromRole");
        return "COMMAND_COMPLETED_SUCCESSFULLY";
    }

    public String removeUsersFromRole(Map map) throws Exception {
        trcLogger.entering(CLASSNAME, "removeUsersFromRole", map);
        mapToORRemoveFromRole((String) map.get("roleName"), (String) map.get("userId"), true, true);
        trcLogger.exiting(CLASSNAME, "removeUsersFromRole");
        return "COMMAND_COMPLETED_SUCCESSFULLY";
    }

    private void mapToORRemoveFromRole(String str, String str2, boolean z, boolean z2) throws Exception {
        trcLogger.entering(CLASSNAME, "mapToORRemoveFromRole");
        validateRoles(str);
        String uniqueName = (z || !str2.equals("AllAuthenticatedUsers")) ? (z2 && DataGraphHelper.WILDCARD.equals(str2)) ? str2 : getUniqueName(str2, z) : str2;
        JACCPolicyDefinition policy = getPolicy();
        if (z2) {
            policy.removePrincipalFromRole(str, uniqueName, getPrincipalRolePolicyFile(), z);
        } else {
            policy.mapPrincipalToRole(str, uniqueName, getPrincipalRolePolicyFile(), z);
        }
        trcLogger.exiting(CLASSNAME, "mapToORRemoveFromRole");
    }

    public Map listUsersForRoles(Map map) throws Exception {
        return getPolicy().listPrincipalsForRole(getPrincipalRolePolicyFile(), predefinedRoles, true);
    }

    public Map listGroupsForRoles(Map map) throws Exception {
        return getPolicy().listPrincipalsForRole(getPrincipalRolePolicyFile(), predefinedRoles, false);
    }

    private JACCPolicyDefinition getPolicy() throws WIMException {
        Object authzPolicy = ProfileSecurityManager.singleton().getAuthzPolicy();
        return (authzPolicy == null || !(authzPolicy instanceof JACCPolicyDefinition)) ? getNewJaccPolicy() : (JACCPolicyDefinition) authzPolicy;
    }

    private void validateRoles(String str) throws WIMException {
        if (!predefinedRoles.contains(str)) {
            throw new WIMException("INVALID_ROLE_NAME", WIMMessageHelper.generateMsgParms(str), Level.SEVERE, CLASSNAME, "validateRoles");
        }
    }

    private String getUniqueName(String str, boolean z) throws WIMException, RemoteException {
        List list = (UniqueNameHelper.isDN(str) != null ? getByUniqueName(str) : search(str, z)).getList(SDOHelper.PROPERTY_ROOT_ENTITIES);
        if (list.size() > 1) {
            throw new WIMException("USER_OR_GROUP_ID_NOT_UNIQUE", WIMMessageHelper.generateMsgParms(str), Level.SEVERE, CLASSNAME, "getUniqueName");
        }
        if (list.size() < 1) {
            throw new EntityNotFoundException("ENTITY_NOT_FOUND", WIMMessageHelper.generateMsgParms(str), Level.SEVERE, CLASSNAME, "getUniqueName");
        }
        return ((DataObject) list.get(0)).getDataObject(SDOHelper.PROPERTY_ENTITY_IDENTIFIER).getString("uniqueName");
    }

    private static DataObject search(String str, boolean z) throws WIMException, RemoteException {
        boolean isLoggable = trcLogger.isLoggable(Level.FINER);
        if (isLoggable) {
            trcLogger.entering(CLASSNAME, "search", "principalName= " + str);
        }
        String str2 = z ? SEARCH_PA_EXPR + str + "']" : SEARCH_GROUP_EXPR + str + "']";
        if (isLoggable) {
            trcLogger.logp(Level.FINER, CLASSNAME, "search", "searchExpr= " + str2);
        }
        ServiceProvider singleton = ServiceProvider.singleton();
        DataObject createRootDataObject = SchemaManager.singleton().createRootDataObject();
        DataObject createDataObject = createRootDataObject.createDataObject(SDOHelper.PROPERTY_ROOT_CONTROLS, SDOHelper.NAMESPACE, "SearchControl");
        createDataObject.setString("expression", str2);
        createDataObject.setBoolean("returnSubType", true);
        DataObject search = singleton.search(createRootDataObject);
        if (isLoggable) {
            trcLogger.exiting(CLASSNAME, "search", WIMTraceHelper.printDataObject(search));
        }
        return search;
    }

    private static DataObject getByUniqueName(String str) throws WIMException, RemoteException {
        ServiceProvider singleton = ServiceProvider.singleton();
        DataObject createRootDataObject = SchemaManager.singleton().createRootDataObject();
        createRootDataObject.createDataObject(SDOHelper.PROPERTY_ROOT_ENTITIES).createDataObject(SDOHelper.PROPERTY_ENTITY_IDENTIFIER).setString("uniqueName", str);
        return singleton.get(createRootDataObject);
    }

    private JACCPolicyDefinition getNewJaccPolicy() throws WIMException {
        DataObject authzConfig = getAuthzConfig();
        JACCPolicyDefinition jACCPolicyDefinition = new JACCPolicyDefinition(authzConfig.getString(SDOHelper.CONFIG_JACC_POLICY_CLASS), authzConfig.getString(SDOHelper.CONFIG_JACC_ROLEMAPPING_CLASS), authzConfig.getString(SDOHelper.CONFIG_JACC_POLICY_FACTORY_CLASS), authzConfig.getString(SDOHelper.CONFIG_JACC_ROLEMAPPING_FACTORY_CLASS), getAuthzHome());
        jACCPolicyDefinition.loadPolicy(authzConfig.getString(SDOHelper.CONFIG_JACC_ROLEPERMISSION_POLICY_ID), authzConfig.getString(SDOHelper.CONFIG_JACC_PRINCIPALROLE_POLICY_ID), getAuthzHome() + File.separator + authzConfig.getString(SDOHelper.CONFIG_JACC_ROLEPERMISSION_FILENAME), getAuthzHome() + File.separator + authzConfig.getString(SDOHelper.CONFIG_JACC_PRINCIPALROLE_FILENAME));
        return jACCPolicyDefinition;
    }

    private DataObject getAuthzConfig() throws WIMException {
        return ConfigManager.singleton().getConfig().getDataGraph().getRootObject().getDataObject(SDOHelper.CONFIG_ROOT).getDataObject(SDOHelper.CONFIG_AUTHORIZATION);
    }

    private String getAuthzHome() throws WIMException {
        return DomainManagerUtils.isAdminDomain() ? ConfigManager.singleton().getWIMHomePath() + JACCPolicyDefinition.POLICY_SUBDIR : DomainManagerUtils.getDomainPath(DomainManagerUtils.getDomainName()) + "wim" + File.separator + JACCPolicyDefinition.POLICY_SUBDIR;
    }

    private String getPrincipalRolePolicyFile() throws WIMException {
        return getAuthzHome() + File.separator + getAuthzConfig().getString(SDOHelper.CONFIG_JACC_PRINCIPALROLE_FILENAME);
    }

    static {
        predefinedRoles.add("IdMgrAdmin");
        predefinedRoles.add("IdMgrReader");
        predefinedRoles.add("IdMgrWriter");
    }
}
