package com.ibm.ws.wim.security.authz.jacc;

import com.ibm.sec.auth.subjectx.VirtualPrincipal;
import com.ibm.sec.authz.jaccx.condition.ConditionalPermission;
import com.ibm.sec.authz.jaccx.condition.OwnerCondition;
import com.ibm.sec.authz.jaccx.resource.TreeBasedResource;
import com.ibm.sec.authz.jaccx.resource.TreeBasedResourceScope;
import com.ibm.sec.authz.jaccx.role.NonScopedRoleAssignmentCondition;
import com.ibm.sec.authz.jaccx.role.RoleCondition;
import com.ibm.sec.authz.jaccx.role.RoleMappingConfiguration;
import com.ibm.sec.authz.jaccx.role.ScopedRoleAssignmentCondition;
import com.ibm.sec.authz.jaccx.xml.XMLSerializable;
import com.ibm.sec.authz.provider.MethodPermission;
import com.ibm.websphere.wim.copyright.IBMCopyright;
import com.ibm.websphere.wim.exception.WIMException;
import com.ibm.websphere.wim.ras.WIMLogger;
import com.ibm.websphere.wim.ras.WIMMessageHelper;
import com.ibm.websphere.wim.security.authz.AuthSystemException;
import com.ibm.ws.wim.RepositoryManager;
import com.ibm.ws.wim.adapter.ldap.LdapConstants;
import com.ibm.ws.wim.configmodel.ConfigmodelPackage;
import com.ibm.ws.wim.security.authz.MessageKeys;
import com.ibm.ws.wim.util.DataGraphHelper;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Permission;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/ibm/ws/wim/security/authz/jacc/JACCPolicyDefinition.class */
public class JACCPolicyDefinition extends JACCSecurityManager {
    public static final boolean POLICY_EXISTS = true;
    public static final boolean POLICY_NOT_EXIST = false;
    public static final String POLICY_ID = "WIM Policy";
    public static final String ROLEMAPPING_ID = "WIM Policy";
    public static final String RESOURCE_ROOT = "/root";
    public static final String OBJECT_ACCOUNT = "Entity/RolePlayer/Party/LoginAccount/*";
    public static final String ATTRGROUP_SENSITIVE = "sensitive";
    public static final String ATTRGROUP_UNCHECKED = "unchecked";
    public static final String ROLE_ACCOUNT_OWNER = "Account-Owner-Role";
    private static final int SOURCE_INTERNAL = 1;
    private static final int SOURCE_FILE = 2;
    static final String COPYRIGHT_NOTICE = IBMCopyright.COPYRIGHT_NOTICE_LONG_2005_2010;
    public static final String POLICY_SUBDIR = ConfigmodelPackage.eNS_PREFIX + File.separator + "authz";
    private static final String CLASSNAME = JACCPolicyDefinition.class.getName();
    private static final Logger msgLogger = WIMLogger.getMessageLogger(MessageKeys.PACKAGE_NAME);
    private static final Logger trcLogger = WIMLogger.getTraceLogger(MessageKeys.PACKAGE_NAME);
    static String WILD_CHAR_STRING = DataGraphHelper.WILDCARD;

    public JACCPolicyDefinition() {
        trcLogger.entering(CLASSNAME, "JACCPolicyDefinition()");
        trcLogger.exiting(CLASSNAME, "JACCPolicyDefinition()");
    }

    public JACCPolicyDefinition(String str, String str2, String str3, String str4, String str5) throws AuthSystemException {
        super(str, str2, str3, str4, str5);
        trcLogger.entering(CLASSNAME, "JACCPolicyDefinition(...");
        trcLogger.exiting(CLASSNAME, "JACCPolicyDefinition(...)");
    }

    public void createPolicy(String str, String str2, String str3, String str4) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "createPolicy()");
        try {
            createRoletoPermissionPolicy(str, str3, 1);
            createPrincipalToRolePolicy(str, str4, 1);
            trcLogger.exiting(CLASSNAME, "createPolicy()");
        } catch (Exception e) {
            throw new AuthSystemException("AUTH_INIT_FAILURE", e, Level.SEVERE);
        }
    }

    public void loadPolicy(String str, String str2, String str3, String str4) throws AuthSystemException {
        trcLogger.entering(CLASSNAME, "loadPolicy()");
        try {
            createRoletoPermissionPolicy(str, str3, 2);
            createPrincipalToRolePolicy(str, str4, 2);
            trcLogger.exiting(CLASSNAME, "loadPolicy()");
        } catch (Exception e) {
            throw new AuthSystemException("AUTH_INIT_FAILURE", e, Level.SEVERE);
        }
    }

    private void createRoletoPermissionPolicy(String str, String str2, int i) throws Exception {
        trcLogger.entering(CLASSNAME, "createRoleToPermissionPolicy()");
        HashSet hashSet = new HashSet();
        String[] strArr = {OBJECT_ACCOUNT};
        XMLSerializable policyConfiguration = getPolicyConfigFactory().getPolicyConfiguration(str, true);
        if (i == 1) {
            for (int i2 = 0; i2 < strArr.length; i2++) {
                hashSet.add(new MethodPermission(strArr[i2], "SEARCH"));
                hashSet.add(new MethodPermission(strArr[i2], RepositoryManager.ACTION_UPDATE));
                hashSet.add(new MethodPermission(strArr[i2], ATTRGROUP_SENSITIVE, "WRITE"));
                hashSet.add(new MethodPermission(strArr[i2], ATTRGROUP_UNCHECKED, RepositoryManager.ACTION_READ));
                hashSet.add(new MethodPermission(strArr[i2], ATTRGROUP_UNCHECKED, "WRITE"));
            }
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                policyConfiguration.addToRole(ROLE_ACCOUNT_OWNER, new ConditionalPermission((Permission) it.next(), OwnerCondition.OWNER_CONDITION));
            }
        } else {
            policyConfiguration.readXML(new FileInputStream(str2));
        }
        policyConfiguration.commit();
        getPolicy().refresh();
        if (i == 1 && str2 != null) {
            policyConfiguration.writeXML(new FileOutputStream(str2));
            System.out.println("Successfully exported role-to-permission policy to file " + str2);
        }
        trcLogger.exiting(CLASSNAME, "createRoleToPermissionPolicy()");
    }

    private void createPrincipalToRolePolicy(String str, String str2, int i) throws Exception {
        trcLogger.entering(CLASSNAME, "createPrincipalToRolePolicy()");
        XMLSerializable roleMappingConfiguration = getRoleMappingConfigFactory().getRoleMappingConfiguration(getRoleMappingContext(str).getContextID(), true);
        if (i == 1) {
            roleMappingConfiguration.setCombiningAlgorithm("most-specific-block-overrides");
            roleMappingConfiguration.addToPrincipal(VirtualPrincipal.AllAuthenticatedUsers, new ScopedRoleAssignmentCondition(ROLE_ACCOUNT_OWNER, new TreeBasedResourceScope(new TreeBasedResource(LdapConstants.ROOT_DSE_BASE, RESOURCE_ROOT), 4)));
        } else {
            roleMappingConfiguration.readXML(new FileInputStream(str2));
        }
        roleMappingConfiguration.commit();
        getRoleMapping().refresh();
        if (i == 1 && str2 != null) {
            roleMappingConfiguration.writeXML(new FileOutputStream(str2));
            System.out.println("Successfully exported principal-to-role policy to file " + str2);
        }
        trcLogger.exiting(CLASSNAME, "createPrincipalToRolePolicy()");
    }

    public static void main(String[] strArr) throws Exception {
        if (strArr.length < 2) {
            System.out.println("Syntax: <output policy filename> <output rolemapping filename>\n");
            System.exit(1);
        }
        new JACCPolicyDefinition("com.ibm.sec.authz.provider.CommonAuthzPolicy", "com.ibm.sec.authz.provider.CommonAuthzRoleMapping", "com.ibm.sec.authz.provider.CommonAuthzPolicyConfigurationFactory", "com.ibm.sec.authz.provider.CommonAuthzRoleMappingConfigurationFactory", null).createPolicy("WIM Policy", "WIM Policy", strArr[0], strArr[1]);
    }

    public void mapPrincipalToRole(String str, String str2, String str3, boolean z) throws Exception {
        trcLogger.entering(CLASSNAME, "mapPrincipalsToRole");
        XMLSerializable roleMappingConfiguration = getRoleMappingConfigFactory().getRoleMappingConfiguration(getRoleMappingContext("WIM Policy").getContextID(), true);
        roleMappingConfiguration.readXML(new FileInputStream(str3));
        roleMappingConfiguration.setCombiningAlgorithm("most-specific-block-overrides");
        VirtualPrincipal userPrincipal = z ? new UserPrincipal(str2) : new GroupPrincipal(str2);
        if (str2.equals("AllAuthenticatedUsers")) {
            userPrincipal = VirtualPrincipal.AllAuthenticatedUsers;
        } else {
            Iterator roleConditions = roleMappingConfiguration.getRoleConditions(userPrincipal);
            if (roleConditions.hasNext()) {
                throw new WIMException("USER_OR_GROUP_ALREADY_MAPPED", WIMMessageHelper.generateMsgParms(str2, ((RoleCondition) roleConditions.next()).getRole()), Level.SEVERE, CLASSNAME, "mapPrincipalsToRole");
            }
        }
        roleMappingConfiguration.addToPrincipal(userPrincipal, new NonScopedRoleAssignmentCondition(str));
        roleMappingConfiguration.commit();
        getRoleMapping().refresh();
        roleMappingConfiguration.writeXML(new FileOutputStream(str3));
        trcLogger.exiting(CLASSNAME, "mapPrincipalsToRole");
    }

    public void removePrincipalFromRole(String str, String str2, String str3, boolean z) throws Exception {
        trcLogger.entering(CLASSNAME, "removePrincipalFromRole");
        XMLSerializable roleMappingConfiguration = getRoleMappingConfigFactory().getRoleMappingConfiguration(getRoleMappingContext("WIM Policy").getContextID(), true);
        roleMappingConfiguration.readXML(new FileInputStream(str3));
        if (str2.equals(WILD_CHAR_STRING)) {
            Iterator principals = roleMappingConfiguration.getPrincipals();
            while (principals.hasNext()) {
                Principal principal = (Principal) principals.next();
                if (z) {
                    if (!(principal instanceof GroupPrincipal)) {
                        removeFromRole(roleMappingConfiguration, principal, str);
                    }
                } else if (!(principal instanceof UserPrincipal)) {
                    removeFromRole(roleMappingConfiguration, principal, str);
                }
            }
        } else {
            removeFromRole(roleMappingConfiguration, z ? new UserPrincipal(str2) : new GroupPrincipal(str2), str);
        }
        roleMappingConfiguration.commit();
        getRoleMapping().refresh();
        roleMappingConfiguration.writeXML(new FileOutputStream(str3));
        trcLogger.exiting(CLASSNAME, "removePrincipalFromRole");
    }

    public Map listPrincipalsForRole(String str, List<String> list, boolean z) throws Exception {
        trcLogger.entering(CLASSNAME, "listPrincipalsForRole");
        XMLSerializable roleMappingConfiguration = getRoleMappingConfigFactory().getRoleMappingConfiguration(getRoleMappingContext("WIM Policy").getContextID(), true);
        roleMappingConfiguration.readXML(new FileInputStream(str));
        HashMap hashMap = new HashMap(3);
        for (String str2 : list) {
            Iterator principals = roleMappingConfiguration.getPrincipals();
            ArrayList arrayList = new ArrayList(10);
            while (principals.hasNext()) {
                Principal principal = (Principal) principals.next();
                if ((z && (principal instanceof UserPrincipal)) || (!z && ((principal instanceof GroupPrincipal) || (principal instanceof VirtualPrincipal)))) {
                    if (doesPrincipalHasRole(roleMappingConfiguration, principal, str2)) {
                        arrayList.add(principal.getName());
                        hashMap.put(str2, arrayList);
                    }
                }
            }
        }
        trcLogger.exiting(CLASSNAME, "listPrincipalsForRole", hashMap);
        return hashMap;
    }

    private void removeFromRole(RoleMappingConfiguration roleMappingConfiguration, Principal principal, String str) throws Exception {
        Iterator roleConditions = roleMappingConfiguration.getRoleConditions(principal);
        while (roleConditions.hasNext()) {
            RoleCondition roleCondition = (RoleCondition) roleConditions.next();
            if (roleCondition.getRole().equals(str)) {
                roleMappingConfiguration.removeFromPrincipal(principal, roleCondition);
            }
        }
    }

    private boolean doesPrincipalHasRole(RoleMappingConfiguration roleMappingConfiguration, Principal principal, String str) throws Exception {
        Iterator roleConditions = roleMappingConfiguration.getRoleConditions(principal);
        while (roleConditions.hasNext()) {
            if (((RoleCondition) roleConditions.next()).getRole().equals(str)) {
                return true;
            }
        }
        return false;
    }
}
