package com.ibm.ws.wim.env.was;

import com.ibm.sec.auth.subjectx.VirtualPrincipal;
import com.ibm.sec.authz.jaccx.resource.Resource;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.wim.copyright.IBMCopyright;
import com.ibm.websphere.wim.exception.WIMException;
import com.ibm.websphere.wim.ras.WIMLogger;
import com.ibm.websphere.wim.ras.WIMTraceHelper;
import com.ibm.websphere.wim.security.authz.AccessException;
import com.ibm.websphere.wim.security.authz.AuthSystemException;
import com.ibm.websphere.wim.security.authz.Entitlement;
import com.ibm.ws.bootstrap.ExtClassLoader;
import com.ibm.ws.wim.ConfigManager;
import com.ibm.ws.wim.EnvironmentManager;
import com.ibm.ws.wim.RepositoryManager;
import com.ibm.ws.wim.SchemaManager;
import com.ibm.ws.wim.adapter.file.was.FileAdapter;
import com.ibm.ws.wim.env.IAuthorizationService;
import com.ibm.ws.wim.pluginmanager.PluginManager;
import com.ibm.ws.wim.security.authz.AccessHandler;
import com.ibm.ws.wim.security.authz.AuthPrivilegedException;
import com.ibm.ws.wim.security.authz.EntitlementHelper;
import com.ibm.ws.wim.security.authz.EntitlementRequest;
import com.ibm.ws.wim.security.authz.EntityResource;
import com.ibm.ws.wim.security.authz.MessageKeys;
import com.ibm.ws.wim.security.authz.ProfileAccessHandler;
import com.ibm.ws.wim.security.authz.SDOHelper;
import com.ibm.ws.wim.security.authz.jacc.JACCPolicyDefinition;
import com.ibm.ws.wim.security.authz.jacc.JACCSecurityManager;
import com.ibm.ws.wim.util.DataGraphHelper;
import com.ibm.ws.wim.util.DomainManagerUtils;
import commonj.sdo.DataGraph;
import commonj.sdo.DataObject;
import java.io.File;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;

/* loaded from: input_file:com/ibm/ws/wim/env/was/JACCAuthorizationService.class */
public class JACCAuthorizationService implements IAuthorizationService {
    static final String COPYRIGHT_NOTICE = IBMCopyright.COPYRIGHT_NOTICE_LONG_2005_2011;
    private static final String CLASSNAME = JACCAuthorizationService.class.getName();
    private static final Logger msgLogger = WIMLogger.getMessageLogger(MessageKeys.PACKAGE_NAME);
    private static final Logger trcLogger = WIMLogger.getTraceLogger(MessageKeys.PACKAGE_NAME);
    private boolean isAttributeGroupingEnabled;
    private JACCSecurityManager secManager;
    private String defaultAttributeGroup;
    private Map attributeGroups;
    private Subject runAsSubject;
    private AccessHandler accessHandler = new ProfileAccessHandler();
    private boolean isSecurityEnabled = false;
    public DataGraph finalConfig = null;
    public Object finalObject = null;
    public boolean isArgusLoaded = false;

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public synchronized void initialize(DataGraph dataGraph) throws WIMException {
        initialize(dataGraph, null);
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public synchronized void initialize(final DataGraph dataGraph, final Object obj) throws WIMException {
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { // from class: com.ibm.ws.wim.env.was.JACCAuthorizationService.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws WIMException {
                    ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
                    ClassLoader extClassLoader = ExtClassLoader.getInstance();
                    if (extClassLoader == null) {
                        extClassLoader = getClass().getClassLoader();
                    }
                    Thread.currentThread().setContextClassLoader(extClassLoader);
                    JACCAuthorizationService.this.initialize2(dataGraph, obj);
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    return null;
                }
            });
        } catch (Exception e) {
            throw new WIMException(e.getMessage(), CLASSNAME, "initialize", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void initialize2(DataGraph dataGraph, Object obj) throws WIMException {
        if (!this.isArgusLoaded && null == dataGraph) {
            trcLogger.logp(Level.FINER, CLASSNAME, "initialize2", "config is null, get if from configManager");
            dataGraph = ConfigManager.singleton().getConfig().getDataGraph();
            trcLogger.logp(Level.FINER, CLASSNAME, "initialize2", WIMTraceHelper.printDataGraph(dataGraph));
        }
        this.finalConfig = dataGraph;
        this.finalObject = obj;
        if (!EnvironmentManager.getWASServerStatus() || this.isArgusLoaded) {
            return;
        }
        trcLogger.entering(CLASSNAME, "initialize2()");
        JACCSecurityManager jACCSecurityManager = (JACCSecurityManager) obj;
        if (this.secManager == null) {
            DataObject dataObject = dataGraph.getRootObject().getDataObject(SDOHelper.CONFIG_ROOT).getDataObject(SDOHelper.CONFIG_AUTHORIZATION);
            this.isSecurityEnabled = dataObject.getBoolean(SDOHelper.CONFIG_SECURITY_ENABLED);
            if (this.isSecurityEnabled) {
                if (jACCSecurityManager == null) {
                    String str = DomainManagerUtils.isAdminDomain() ? ConfigManager.singleton().getWIMHomePath() + JACCPolicyDefinition.POLICY_SUBDIR : DomainManagerUtils.getDomainPath(DomainManagerUtils.getDomainName()) + "wim" + File.separator + JACCPolicyDefinition.POLICY_SUBDIR;
                    JACCPolicyDefinition jACCPolicyDefinition = !dataObject.getBoolean(SDOHelper.CONFIG_USE_SYSTEM_JACC_PROVIDER) ? new JACCPolicyDefinition(dataObject.getString(SDOHelper.CONFIG_JACC_POLICY_CLASS), dataObject.getString(SDOHelper.CONFIG_JACC_ROLEMAPPING_CLASS), dataObject.getString(SDOHelper.CONFIG_JACC_POLICY_FACTORY_CLASS), dataObject.getString(SDOHelper.CONFIG_JACC_ROLEMAPPING_FACTORY_CLASS), str) : new JACCPolicyDefinition();
                    if (dataObject.getBoolean(SDOHelper.CONFIG_IMPORT_POLICY_FROM_FILE)) {
                        jACCPolicyDefinition.loadPolicy(dataObject.getString(SDOHelper.CONFIG_JACC_ROLEPERMISSION_POLICY_ID), dataObject.getString(SDOHelper.CONFIG_JACC_PRINCIPALROLE_POLICY_ID), str + File.separator + dataObject.getString(SDOHelper.CONFIG_JACC_ROLEPERMISSION_FILENAME), str + File.separator + dataObject.getString(SDOHelper.CONFIG_JACC_PRINCIPALROLE_FILENAME));
                    }
                    this.secManager = jACCPolicyDefinition;
                } else {
                    this.secManager = jACCSecurityManager;
                }
                this.secManager.registerPolicy(dataObject.getString(SDOHelper.CONFIG_JACC_ROLEPERMISSION_POLICY_ID), dataObject.getString(SDOHelper.CONFIG_JACC_PRINCIPALROLE_POLICY_ID), this.accessHandler);
                loadAttributeGroups(dataObject);
                msgLogger.log(Level.INFO, "AUTH_INIT_SUCCESS");
            }
        }
        refreshPolicy();
        this.isArgusLoaded = true;
        trcLogger.exiting(CLASSNAME, "initialize()");
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public void refresh() {
        trcLogger.entering(CLASSNAME, "refreshPolicy()");
        if (this.isSecurityEnabled) {
            this.secManager.refreshPolicy();
        }
        trcLogger.entering(CLASSNAME, "refreshPolicy()");
    }

    private void loadAttributeGroups(DataObject dataObject) throws WIMException {
        trcLogger.entering(CLASSNAME, "loadAttributeGroups()");
        this.isAttributeGroupingEnabled = dataObject.getBoolean(SDOHelper.CONFIG_ATTRIB_GROUPING_ENABLED);
        this.defaultAttributeGroup = dataObject.getString(SDOHelper.CONFIG_DEFAULT_ATTR_GROUP);
        List list = dataObject.getList(SDOHelper.CONFIG_ATTRGROUPS);
        this.attributeGroups = new Hashtable();
        for (int i = 0; i < list.size(); i++) {
            DataObject dataObject2 = (DataObject) list.get(i);
            String string = dataObject2.getString(SDOHelper.CONFIG_ATTRGROUPS_GROUPNAME);
            int size = dataObject2.getList(SDOHelper.CONFIG_ATTRGROUPS_ATTRNAMES).size();
            for (int i2 = 0; i2 < size; i2++) {
                String string2 = dataObject2.getString("attributeNames." + Integer.toString(i2));
                if (this.attributeGroups.put(string2, string) != null) {
                    throw new AuthSystemException("AUTH_ATTR_MULTIPLE_GROUP", new Object[]{string2}, Level.SEVERE);
                }
            }
        }
        trcLogger.exiting(CLASSNAME, "loadAttributeGroups()");
    }

    public void refreshPolicy() {
        trcLogger.entering(CLASSNAME, "refreshPolicy()");
        if (this.isSecurityEnabled) {
            this.secManager.refreshPolicy();
        }
        trcLogger.entering(CLASSNAME, "refreshPolicy()");
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public void checkPermission_SuperUser(Entitlement entitlement) throws WIMException {
        trcLogger.entering(CLASSNAME, "checkPermission_SuperUser()");
        if (this.isSecurityEnabled) {
            Subject callerSubject = getCallerSubject();
            if (this.secManager.isServerSecurityEnabled() && !this.secManager.isSuperUser(callerSubject) && !this.secManager.isAdministrator(callerSubject)) {
                throw new AccessException(getCallerSubjectUniqueName(), "administrator", entitlement, Level.SEVERE);
            }
        }
        trcLogger.exiting(CLASSNAME, "checkPermission_SuperUser()");
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public boolean isCallerSuperUser() throws WIMException {
        initialize(this.finalConfig, this.finalObject);
        trcLogger.entering(CLASSNAME, "isCallerSuperUser()");
        Subject callerSubject = getCallerSubject();
        boolean z = (this.isSecurityEnabled && this.secManager.isSuperUser(callerSubject)) || (this.isSecurityEnabled && this.secManager.isAdministrator(callerSubject));
        trcLogger.exiting(CLASSNAME, "isCallerSuperUser() - " + z);
        return z;
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public void checkPermission_CREATE(EntityResource entityResource) throws WIMException {
        trcLogger.entering(CLASSNAME, "checkPermission_CREATE()");
        initialize(this.finalConfig, this.finalObject);
        Subject callerSubject = getCallerSubject();
        if (this.isSecurityEnabled) {
            if (this.secManager.isSuperUser(callerSubject)) {
                trcLogger.log(Level.FINER, MessageKeys.TRC_SUPER_USER_BYPASS);
                return;
            }
            Set roles = this.secManager.getRoles(callerSubject);
            if (hasWriteAccess(roles)) {
                traceAccessResult(MessageKeys.TRC_VMM_AUTHORIZED_USER, roles, Level.FINEST);
            } else {
                String entityType = SDOHelper.getEntityType(entityResource.getEntity(), true);
                Resource entityResource2 = new EntityResource(entityResource, entityType, getDelegatedAdminViewId(entityResource, RepositoryManager.ACTION_CREATE));
                JACCSecurityManager jACCSecurityManager = this.secManager;
                Entitlement entitlement = new Entitlement(RepositoryManager.ACTION_CREATE, entityType);
                checkAccessResult(entityResource2, entitlement, jACCSecurityManager.hasEntitlement(callerSubject, entityResource2, entitlement));
                checkAttributePermissions(entityResource2, "WRITE", false, false);
            }
        }
        trcLogger.exiting(CLASSNAME, "checkPermission_CREATE()");
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public void checkPermission_DELETE(EntityResource entityResource, boolean z) throws WIMException {
        trcLogger.entering(CLASSNAME, "checkPermission_DELETE()");
        initialize(this.finalConfig, this.finalObject);
        Subject callerSubject = getCallerSubject();
        if (this.isSecurityEnabled) {
            if (this.secManager.isSuperUser(callerSubject)) {
                trcLogger.log(Level.FINER, MessageKeys.TRC_SUPER_USER_BYPASS);
                return;
            }
            Set roles = this.secManager.getRoles(callerSubject);
            if (hasWriteAccess(roles)) {
                traceAccessResult(MessageKeys.TRC_VMM_AUTHORIZED_USER, roles, Level.FINEST);
            } else {
                String entityType = SDOHelper.getEntityType(entityResource.getEntity(), false);
                Resource entityResource2 = new EntityResource(entityResource, entityType, getDelegatedAdminViewId(entityResource, RepositoryManager.ACTION_DELETE));
                Entitlement entitlement = new Entitlement(RepositoryManager.ACTION_DELETE, entityType);
                Entitlement entitlement2 = new Entitlement("DELETE_DESCENDANTS", entityType);
                boolean hasEntitlement = this.secManager.hasEntitlement(callerSubject, entityResource2, z ? entitlement2 : entitlement);
                if (!z && !hasEntitlement) {
                    hasEntitlement = this.secManager.hasEntitlement(callerSubject, entityResource2, entitlement2);
                }
                checkAccessResult(entityResource2, z ? entitlement2 : entitlement, hasEntitlement);
            }
        }
        trcLogger.exiting(CLASSNAME, "checkPermission_DELETE()");
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public void checkPermission_UPDATE(EntityResource entityResource) throws WIMException {
        trcLogger.entering(CLASSNAME, "checkPermission_UPDATE()");
        initialize(this.finalConfig, this.finalObject);
        Subject callerSubject = getCallerSubject();
        if (this.isSecurityEnabled) {
            if (this.secManager.isSuperUser(callerSubject)) {
                trcLogger.log(Level.FINER, MessageKeys.TRC_SUPER_USER_BYPASS);
                return;
            }
            Set roles = this.secManager.getRoles(callerSubject);
            if (hasWriteAccess(roles)) {
                traceAccessResult(MessageKeys.TRC_VMM_AUTHORIZED_USER, roles, Level.FINEST);
            } else {
                String entityType = SDOHelper.getEntityType(entityResource.getEntity(), false);
                Resource entityResource2 = new EntityResource(entityResource, entityType, getDelegatedAdminViewId(entityResource, RepositoryManager.ACTION_UPDATE));
                JACCSecurityManager jACCSecurityManager = this.secManager;
                Entitlement entitlement = new Entitlement(RepositoryManager.ACTION_UPDATE, entityType);
                checkAccessResult(entityResource2, entitlement, jACCSecurityManager.hasEntitlement(callerSubject, entityResource2, entitlement));
                checkAttributePermissions(entityResource2, "WRITE", false, false);
            }
        }
        trcLogger.exiting(CLASSNAME, "checkPermission_UPDATE()");
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public DataObject checkPermission_GET(EntityResource entityResource) throws WIMException {
        trcLogger.entering(CLASSNAME, "checkPermission_GET()");
        initialize(this.finalConfig, this.finalObject);
        Subject callerSubject = getCallerSubject();
        if (this.isSecurityEnabled) {
            if (this.secManager.isSuperUser(callerSubject)) {
                trcLogger.log(Level.FINER, MessageKeys.TRC_SUPER_USER_BYPASS);
                return entityResource.getEntity();
            }
            Set roles = this.secManager.getRoles(callerSubject);
            if (hasReadAccess(roles)) {
                traceAccessResult(MessageKeys.TRC_VMM_AUTHORIZED_USER, roles, Level.FINEST);
                return entityResource.getEntity();
            }
            String entityType = SDOHelper.getEntityType(entityResource.getEntity(), true);
            entityResource = new EntityResource(entityResource, entityType, getDelegatedAdminViewId(entityResource, "GET"));
            JACCSecurityManager jACCSecurityManager = this.secManager;
            Entitlement entitlement = new Entitlement("GET", entityType);
            checkAccessResult(entityResource, entitlement, jACCSecurityManager.hasEntitlement(callerSubject, entityResource, entitlement));
            checkAttributePermissions(entityResource, RepositoryManager.ACTION_READ, true, true);
        }
        trcLogger.exiting(CLASSNAME, "checkPermission_GET()");
        return entityResource.getEntity();
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public DataObject checkPermission_LOGIN(EntityResource entityResource) throws WIMException {
        trcLogger.entering(CLASSNAME, "checkPermission_LOGIN()");
        initialize(this.finalConfig, this.finalObject);
        trcLogger.exiting(CLASSNAME, "checkPermission_LOGIN()");
        return entityResource.getEntity();
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public DataObject checkPermission_SEARCH(EntityResource entityResource, Entitlement entitlement) throws WIMException {
        trcLogger.entering(CLASSNAME, "checkPermission_SEARCH()");
        initialize(this.finalConfig, this.finalObject);
        Subject callerSubject = getCallerSubject();
        boolean z = false;
        if (this.isSecurityEnabled) {
            if (this.secManager.isSuperUser(callerSubject)) {
                trcLogger.log(Level.FINER, MessageKeys.TRC_SUPER_USER_BYPASS);
                return entityResource.getEntity();
            }
            Set roles = this.secManager.getRoles(callerSubject);
            if (hasReadAccess(roles)) {
                traceAccessResult(MessageKeys.TRC_VMM_AUTHORIZED_USER, roles, Level.FINEST);
                return entityResource.getEntity();
            }
            String entityType = SDOHelper.getEntityType(entityResource.getEntity(), true);
            entityResource = new EntityResource(entityResource, entityType, getDelegatedAdminViewId(entityResource, "SEARCH"));
            JACCSecurityManager jACCSecurityManager = this.secManager;
            Entitlement entitlement2 = new Entitlement("SEARCH", entityType);
            Entitlement entitlement3 = entitlement2;
            boolean hasEntitlement = jACCSecurityManager.hasEntitlement(callerSubject, entityResource, entitlement2);
            if (hasEntitlement && entitlement != null) {
                JACCSecurityManager jACCSecurityManager2 = this.secManager;
                Entitlement mappedEntitlement = getMappedEntitlement(entitlement);
                entitlement3 = mappedEntitlement;
                hasEntitlement = jACCSecurityManager2.hasEntitlement(callerSubject, entityResource, mappedEntitlement);
                z = true;
            }
            if (!hasEntitlement) {
                traceAccessResult(z ? MessageKeys.TRC_ENTITLE_FAILURE : MessageKeys.TRC_ACCESS_FAILURE, Level.FINE, entityResource, entitlement3);
                return null;
            }
            traceAccessResult(z ? MessageKeys.TRC_ENTITLE_SUCCESS : MessageKeys.TRC_ACCESS_SUCCESS, Level.FINEST, entityResource, entitlement3);
            checkAttributePermissions(entityResource, RepositoryManager.ACTION_READ, true, false);
        }
        trcLogger.exiting(CLASSNAME, "checkPermission_SEARCH()");
        return entityResource.getEntity();
    }

    private void checkAttributePermissions(EntityResource entityResource, String str, boolean z, boolean z2) throws WIMException {
        List list;
        trcLogger.entering(CLASSNAME, "checkAttributePermissions()");
        Subject callerSubject = getCallerSubject();
        Hashtable hashtable = new Hashtable();
        DataObject entity = entityResource.getEntity();
        for (String str2 : SDOHelper.getEntityAttributes(entity, false, false)) {
            String groupForAttribute = getGroupForAttribute(str2);
            if (z2 && SDOHelper.isAttributeEntityType(entity, str2)) {
                if (SDOHelper.isAttributeMultiValued(entity, str2)) {
                    list = entity.getList(str2);
                } else {
                    list = new ArrayList();
                    list.add(entity.getDataObject(str2));
                }
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    checkPermission_GET(new EntityResource(entityResource.getRoot(), (DataObject) it.next()));
                }
            } else {
                Entitlement entitlement = new Entitlement(str, entityResource.getEntityType(), groupForAttribute);
                boolean hasAttributeEntitlement = hasAttributeEntitlement(callerSubject, entityResource, entitlement, hashtable);
                if (!hasAttributeEntitlement && str.equals(RepositoryManager.ACTION_READ) && z) {
                    entity.unset(str2);
                    traceAccessResult(MessageKeys.TRC_ACCESS_FAILURE, Level.FINE, entityResource, entitlement);
                } else {
                    checkAccessResult(entityResource, entitlement, hasAttributeEntitlement);
                }
            }
        }
        trcLogger.exiting(CLASSNAME, "checkAttributePermissions()");
    }

    private boolean hasAttributeEntitlement(Subject subject, EntityResource entityResource, Entitlement entitlement, Map map) throws WIMException {
        trcLogger.entering(CLASSNAME, "hasAttributeEntitlement()");
        String str = entitlement.getMethod() + ":" + entitlement.getAttribute();
        Boolean bool = (Boolean) map.get(str);
        Boolean bool2 = bool;
        if (bool == null) {
            bool2 = Boolean.valueOf(this.secManager.hasEntitlement(subject, entityResource, entitlement));
            map.put(str, bool2);
        }
        trcLogger.exiting(CLASSNAME, "hasAttributeEntitlement()");
        return bool2.booleanValue();
    }

    private Entitlement getMappedEntitlement(Entitlement entitlement) {
        trcLogger.entering(CLASSNAME, "getMappedEntitlement()");
        Entitlement entitlement2 = entitlement.isAttributeEntitlement() ? new Entitlement(entitlement.getMethod(), entitlement.getObject(), getGroupForAttribute(entitlement.getAttribute())) : entitlement;
        trcLogger.exiting(CLASSNAME, "getMappedEntitlement()");
        return entitlement2;
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public Set getRoles(EntityResource entityResource) throws WIMException {
        trcLogger.entering(CLASSNAME, "getRoles()");
        Subject callerSubject = getCallerSubject();
        Set set = null;
        if (this.isSecurityEnabled) {
            set = this.secManager.getRoles(callerSubject, new EntityResource(entityResource, SDOHelper.getEntityType(entityResource.getEntity(), true), getDelegatedAdminViewId(entityResource, "GET_ENTITLEMENTS")));
        }
        trcLogger.exiting(CLASSNAME, "getRoles()");
        return set;
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public boolean doesEntitlementExist(EntityResource entityResource, Entitlement entitlement) throws WIMException {
        trcLogger.entering(CLASSNAME, "doesEntitlementExist()");
        Subject callerSubject = getCallerSubject();
        boolean z = false;
        if (this.isSecurityEnabled) {
            z = this.secManager.doesEntitlementExist(callerSubject, new EntityResource(entityResource, SDOHelper.getEntityType(entityResource.getEntity(), true), getDelegatedAdminViewId(entityResource, "GET_ENTITLEMENTS")), getMappedEntitlement(entitlement));
        }
        trcLogger.exiting(CLASSNAME, "doesEntitlementExist()");
        return z;
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public Set getEntitlements(EntityResource entityResource, EntitlementRequest entitlementRequest) throws WIMException {
        trcLogger.entering(CLASSNAME, "getEntitlements()");
        Subject callerSubject = getCallerSubject();
        HashSet hashSet = null;
        Hashtable hashtable = new Hashtable();
        if (this.isSecurityEnabled) {
            String entityType = SDOHelper.getEntityType(entityResource.getEntity(), true);
            Resource entityResource2 = new EntityResource(entityResource, entityType, getDelegatedAdminViewId(entityResource, "GET_ENTITLEMENTS"));
            Set<Entitlement> entitlements = this.secManager.getEntitlements(callerSubject, entityResource2);
            hashSet = new HashSet();
            for (Entitlement entitlement : entitlements) {
                if (entitlementRequest.isObjectEntitlementsDesired() && !entitlement.isAttributeEntitlement() && isEntitlementApplicable(entityType, entitlement)) {
                    Entitlement entitlement2 = new Entitlement(entitlement.getMethod(), entityType);
                    if (!hashSet.contains(entitlement2)) {
                        hashSet.add(entitlement2);
                    }
                }
            }
            if (entitlementRequest.isAttributeEntitlementsDesired()) {
                for (String str : entitlementRequest.getEntitlementAttributes() == null ? SDOHelper.getEntityAttributes(entityResource2.getEntity(), true, false) : entitlementRequest.getEntitlementAttributes()) {
                    String groupForAttribute = getGroupForAttribute(str);
                    if (!SDOHelper.isAttributeEntityType(entityResource2.getEntity(), str) && hasAttributeEntitlement(callerSubject, entityResource2, new Entitlement(RepositoryManager.ACTION_READ, entityType, groupForAttribute), hashtable)) {
                        hashSet.add(new Entitlement(RepositoryManager.ACTION_READ, entityType, str));
                    }
                    if (hasAttributeEntitlement(callerSubject, entityResource2, new Entitlement("WRITE", entityType, groupForAttribute), hashtable)) {
                        hashSet.add(new Entitlement("WRITE", entityType, str));
                    }
                }
            }
        }
        trcLogger.exiting(CLASSNAME, "getEntitlements()");
        return hashSet;
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public DataObject setEntitlements(DataObject dataObject, DataObject dataObject2, EntitlementRequest entitlementRequest) throws WIMException {
        trcLogger.entering(CLASSNAME, "setEntitlements(DataObject inputRoot, DataObject outputRoot, EntitlementRequest entitleRequest)");
        if (this.isSecurityEnabled && !entitlementRequest.isEmpty()) {
            Iterator it = dataObject2.getList(SDOHelper.PROPERTY_ROOT_ENTITIES).iterator();
            while (it.hasNext()) {
                setEntitlements(new EntityResource(dataObject, (DataObject) it.next()), entitlementRequest);
            }
        }
        trcLogger.exiting(CLASSNAME, "setEntitlements(DataObject inputRoot, DataObject outputRoot, EntitlementRequest entitleRequest)");
        return dataObject2;
    }

    private DataObject setEntitlements(EntityResource entityResource, EntitlementRequest entitlementRequest) throws WIMException {
        List list;
        trcLogger.entering(CLASSNAME, "setEntitlements(EntityResource resource, EntitlementRequest entitleRequest)");
        DataObject entity = entityResource.getEntity();
        DataObject createDataObject = entity.createDataObject(SDOHelper.PROPERTY_ENTITY_ENTITLEINFO);
        if (entitlementRequest.isRolesDesired()) {
            createDataObject.setList(SDOHelper.PROPERTY_ENTITLEINFO_ROLES, new ArrayList(getRoles(entityResource)));
        }
        if (entitlementRequest.isObjectEntitlementsDesired() || entitlementRequest.isAttributeEntitlementsDesired()) {
            Iterator it = getEntitlements(entityResource, entitlementRequest).iterator();
            while (it.hasNext()) {
                EntitlementHelper.setEntitlementToDataObject((Entitlement) it.next(), createDataObject.createDataObject(SDOHelper.PROPERTY_ENTITLEINFO_ENTITLEMENTS));
            }
        }
        if (entitlementRequest.getEntitlementCheck() != null) {
            createDataObject.setBoolean(SDOHelper.PROPERTY_ENTITLEINFO_CHECKRESULT, doesEntitlementExist(entityResource, entitlementRequest.getEntitlementCheck()));
        }
        for (String str : SDOHelper.getEntityAttributes(entity, false, false)) {
            if (SDOHelper.isAttributeEntityType(entity, str)) {
                if (SDOHelper.isAttributeMultiValued(entity, str)) {
                    list = entity.getList(str);
                } else {
                    list = new ArrayList();
                    list.add(entity.getDataObject(str));
                }
                Iterator it2 = list.iterator();
                while (it2.hasNext()) {
                    setEntitlements(new EntityResource(entityResource.getRoot(), (DataObject) it2.next()), entitlementRequest);
                }
            }
        }
        trcLogger.exiting(CLASSNAME, "setEntitlements(EntityResource resource, EntitlementRequest entitleRequest)");
        return entity;
    }

    private boolean isEntitlementApplicable(String str, Entitlement entitlement) {
        return EntitlementHelper.getMethodPermission(entitlement).implies(EntitlementHelper.getMethodPermission(new Entitlement(entitlement.getMethod(), str, entitlement.getAttribute())));
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public void setRunAsSubject(Subject subject) {
        this.runAsSubject = subject;
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public Object runAsSuperUser(PrivilegedExceptionAction privilegedExceptionAction) throws WIMException {
        Object runAsSuperUser;
        trcLogger.entering(CLASSNAME, "runAsSuperUser()");
        if (EnvironmentManager.getWASServerStatus() && !this.isArgusLoaded) {
            initialize(this.finalConfig, this.finalObject);
        }
        if (this.isSecurityEnabled) {
            try {
                runAsSuperUser = this.secManager.runAsSuperUser(privilegedExceptionAction);
            } catch (PrivilegedActionException e) {
                if (e.getCause() instanceof WIMException) {
                    throw e.getCause();
                }
                throw new AuthPrivilegedException(MessageKeys.TRC_SUPER_USER_FAILURE, e.getCause(), Level.FINE);
            }
        } else {
            try {
                runAsSuperUser = privilegedExceptionAction.run();
            } catch (Exception e2) {
                if (e2 instanceof WIMException) {
                    throw e2;
                }
                throw new AuthPrivilegedException(MessageKeys.TRC_SUPER_USER_FAILURE, (Throwable) e2, Level.FINE);
            }
        }
        trcLogger.exiting(CLASSNAME, "runAsSuperUser()");
        return runAsSuperUser;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Subject getAnonymousSubject() {
        return (Subject) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.wim.env.was.JACCAuthorizationService.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                Subject subject = new Subject();
                subject.getPrincipals().add(VirtualPrincipal.AnonymousUser);
                return subject;
            }
        });
    }

    private Subject getCallerSubject() throws WIMException {
        trcLogger.entering(CLASSNAME, "getCallerSubject()");
        try {
            return (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wim.env.was.JACCAuthorizationService.3
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws AuthSystemException {
                    Subject anonymousSubject = JACCAuthorizationService.this.getAnonymousSubject();
                    if (JACCAuthorizationService.this.isSecurityEnabled) {
                        if (JACCAuthorizationService.this.runAsSubject == null) {
                            try {
                                Subject runAsSubject = WSSubject.getRunAsSubject();
                                anonymousSubject = runAsSubject;
                                if (runAsSubject == null) {
                                    anonymousSubject = WSSubject.getCallerSubject();
                                }
                                if (anonymousSubject == null || JACCAuthorizationService.this.accessHandler.getSubjectPrincipal(anonymousSubject).getName() == null) {
                                    anonymousSubject = JACCAuthorizationService.this.getAnonymousSubject();
                                }
                            } catch (Exception e) {
                                throw new AuthSystemException("AUTH_SUBJECT_FAILURE", e, Level.WARNING);
                            }
                        } else {
                            anonymousSubject = JACCAuthorizationService.this.runAsSubject;
                        }
                        JACCAuthorizationService.trcLogger.log(Level.FINER, MessageKeys.TRC_CALLER_SUBJECT, new Object[]{JACCAuthorizationService.this.accessHandler.getSubjectPrincipal(anonymousSubject).getName()});
                    }
                    JACCAuthorizationService.trcLogger.exiting(JACCAuthorizationService.CLASSNAME, "getCallerSubject()");
                    return anonymousSubject;
                }
            });
        } catch (PrivilegedActionException e) {
            throw e.getException();
        }
    }

    private String getCallerSubjectUniqueName() throws WIMException {
        trcLogger.entering(CLASSNAME, "getCallerSubjectUniqueName()");
        if (!this.isArgusLoaded) {
            initialize(this.finalConfig, this.finalObject);
        }
        Subject callerSubject = getCallerSubject();
        String name = (callerSubject.getPrincipals().iterator().next().equals(VirtualPrincipal.AnonymousUser) && this.secManager.isSuperUser(callerSubject)) ? "**SUPER USER**" : this.accessHandler.getSubjectPrincipal(getCallerSubject()).getName();
        trcLogger.exiting(CLASSNAME, "getCallerSubjectUniqueName()");
        return name;
    }

    private String getGroupForAttribute(String str) {
        String str2;
        trcLogger.entering(CLASSNAME, "getGroupForAttribute()");
        if (this.isAttributeGroupingEnabled) {
            str2 = (String) this.attributeGroups.get(str);
            if (str2 == null) {
                str2 = this.defaultAttributeGroup;
            }
            trcLogger.log(Level.FINEST, MessageKeys.TRC_ATTR_MAPPED_GROUP, new Object[]{str, str2});
        } else {
            str2 = str;
        }
        trcLogger.exiting(CLASSNAME, "getGroupForAttribute()");
        return str2;
    }

    private Set getAttributesForGroup(String str) {
        trcLogger.entering(CLASSNAME, "getAttributesForGroup()");
        HashSet hashSet = new HashSet();
        if (this.isAttributeGroupingEnabled) {
            for (Map.Entry entry : this.attributeGroups.entrySet()) {
                if (entry.getValue().equals(str)) {
                    hashSet.add(entry.getKey());
                }
            }
        } else {
            hashSet.add(str);
        }
        trcLogger.exiting(CLASSNAME, "getAttributesForGroup()");
        return hashSet;
    }

    private void traceAccessResult(String str, Level level, EntityResource entityResource, Entitlement entitlement) throws WIMException {
        if (trcLogger.isLoggable(Level.FINER)) {
            trcLogger.log(level, str, new Object[]{getCallerSubjectUniqueName(), entitlement.toSimpleString(), SDOHelper.getEntityDisplayName(entityResource.getEntity())});
        }
    }

    private void traceAccessResult(String str, Set set, Level level) throws WIMException {
        if (trcLogger.isLoggable(Level.FINER)) {
            trcLogger.log(level, str, new Object[]{getCallerSubjectUniqueName(), set});
        }
    }

    private void checkAccessResult(EntityResource entityResource, Entitlement entitlement, boolean z) throws WIMException {
        if (!z) {
            throw new AccessException(getCallerSubjectUniqueName(), SDOHelper.getEntityDisplayName(entityResource.getEntity()), entityResource.getResourceId(), entitlement, Level.SEVERE);
        }
        traceAccessResult(MessageKeys.TRC_ACCESS_SUCCESS, Level.FINEST, entityResource, entitlement);
    }

    private String getDelegatedAdminViewId(EntityResource entityResource, String str) throws WIMException {
        trcLogger.entering(CLASSNAME, "getDelegatedAdminViewId()");
        initialize(this.finalConfig, this.finalObject);
        String str2 = null;
        DataObject entity = entityResource.getEntity();
        if (str.equals("GET_ENTITLEMENTS")) {
            str2 = SDOHelper.getEntityViewId("DefaultDAView", entity);
        }
        if (str2 == null) {
            DataObject cloneDataObject = DataGraphHelper.cloneDataObject(entity);
            if (str.equals(RepositoryManager.ACTION_CREATE)) {
                cloneDataObject.unset(SDOHelper.PROPERTY_ENTITY_IDENTIFIER);
            }
            DataObject createRootDataObject = SchemaManager.singleton().createRootDataObject();
            createRootDataObject.getList(SDOHelper.PROPERTY_ROOT_ENTITIES).add(cloneDataObject);
            createRootDataObject.createDataObject(SDOHelper.PROPERTY_ROOT_CONTROLS, SDOHelper.NAMESPACE, SDOHelper.CLASSNAME_VIEWCTRL).setString("viewName", "DefaultDAView");
            DataObject inlineExitCall = PluginManager.getPluginManager().inlineExitCall("com.ibm.ws.wim.authz.ProfileSecurityManager", PluginManager.getPluginManager().preExitCall("com.ibm.ws.wim.authz.ProfileSecurityManager", createRootDataObject), "getInViewExplicit");
            str2 = SDOHelper.getEntityViewId("DefaultDAView", PluginManager.getPluginManager().postExitCall("com.ibm.ws.wim.authz.ProfileSecurityManager", inlineExitCall, inlineExitCall).getDataGraph().getRootObject().getDataObject(SDOHelper.PROPERTY_ROOT).getDataObject(FileAdapter.DO_ENTITIES0));
        }
        if (str2 == null) {
            throw new AuthSystemException("AUTH_VIEW_PLUGIN_FAILURE", new Object[]{SDOHelper.getEntityDisplayName(entityResource.getEntity())}, Level.SEVERE);
        }
        trcLogger.log(Level.FINEST, MessageKeys.TRC_ENTITY_MAPPED_DAPATH, new Object[]{SDOHelper.getEntityDisplayName(entityResource.getEntity()), str2});
        trcLogger.exiting(CLASSNAME, "getDelegatedAdminViewId()");
        return str2;
    }

    private boolean hasReadAccess(Set set) {
        return set.contains("IdMgrAdmin") || set.contains("IdMgrWriter") || set.contains("IdMgrReader");
    }

    private boolean hasWriteAccess(Set set) {
        return set.contains("IdMgrAdmin") || set.contains("IdMgrWriter");
    }

    @Override // com.ibm.ws.wim.env.IAuthorizationService
    public JACCSecurityManager getAuthzPolicy() {
        return this.secManager;
    }
}
