package com.ibm.ws.container.security;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.csi.CSIException;
import com.ibm.websphere.csi.EJBKey;
import com.ibm.websphere.security.ProviderFailureException;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.audit.utils.DataHelper;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityContext;
import com.ibm.ws.security.delegation.DelegationFactory;
import com.ibm.ws.security.ejb.SecurityBeanCookie;
import com.ibm.wsspi.container.security.AccessException;
import com.ibm.wsspi.container.security.AccessManager;
import com.ibm.wsspi.container.security.DelegationException;
import com.ibm.wsspi.security.audit.AuditService;
import com.ibm.wsspi.security.audit.ContextHandler;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Date;
import javax.security.auth.Subject;

/* loaded from: input_file:com/ibm/ws/container/security/AccessManagerImpl.class */
public class AccessManagerImpl implements AccessManager {
    private static final String CLASSNAME = AccessManagerImpl.class.getName();
    private static TraceComponent tc = Tr.register(AccessManagerImpl.class, "Security");
    private static AccessManager instance = new AccessManagerImpl();
    private boolean securityEnabled;
    private ContextManager contextManager;
    private SCAAccessManager scaAccessManager;
    private AuditService auditService;
    private String default_realm;
    private static final String providerName = "WebSphere";

    public static AccessManager getInstance() {
        return instance;
    }

    private AccessManagerImpl() {
        this.securityEnabled = false;
        if (SecurityContext.isSecurityEnabled()) {
            this.securityEnabled = true;
            this.contextManager = ContextManagerFactory.getInstance();
            this.scaAccessManager = new SCAAccessManager();
            this.auditService = this.contextManager.getAuditService();
            this.default_realm = ContextManagerFactory.getInstance().getDefaultRealm();
        }
    }

    @Override // com.ibm.wsspi.container.security.AccessManager
    public boolean pushApplicationContext(String str) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "pushApplicationContext", str);
        }
        SecurityObjectLocator.pushAppContext(str);
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "pushApplicationContext", str);
        return true;
    }

    @Override // com.ibm.wsspi.container.security.AccessManager
    public void popApplicationContext(String str) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "popApplicationContext", str);
        }
        SecurityObjectLocator.popContext();
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "popApplicationContext", str);
        }
    }

    @Override // com.ibm.wsspi.container.security.AccessManager
    public void checkAccess(String str, String str2, String str3, String str4, String[] strArr, boolean z, boolean z2, Subject subject) throws AccessException {
        if (this.securityEnabled) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.entry(tc, "checkAccess", new Object[]{str, str2, str3, strArr, Boolean.valueOf(z), Boolean.valueOf(z2), subject});
            }
            boolean z3 = false;
            try {
                z3 = SecurityObjectLocator.pushAppContext(str);
                if (!WSSecurityHelper.isServerSecurityEnabled()) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "checkAccess", "Skip authorization for non-system apps when app security is disabled.");
                    }
                    if (z3) {
                        SecurityObjectLocator.popContext();
                        return;
                    }
                    return;
                }
                Exception exc = null;
                try {
                    this.scaAccessManager.checkAccess(new SCAAccessContext(str, strArr, z, z2), str2, str3, subject);
                } catch (com.ibm.ws.security.core.AccessException e) {
                    FFDCFilter.processException(e, CLASSNAME + ".checkAccess", "157", this);
                    exc = e;
                }
                if (this.auditService != null) {
                    doAudit(subject, str, str2, str3, str4, strArr, exc != null);
                }
                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                    Tr.exit(tc, "checkAccess", exc);
                }
                if (exc != null) {
                    throw new AccessException(exc.getMessage(), exc);
                }
                if (z3) {
                    SecurityObjectLocator.popContext();
                }
            } catch (Throwable th) {
                if (z3) {
                    SecurityObjectLocator.popContext();
                }
                throw th;
            }
        }
    }

    @Override // com.ibm.wsspi.container.security.AccessManager
    public Object runAs(String str, String str2, String str3, String str4, PrivilegedExceptionAction privilegedExceptionAction) throws PrivilegedActionException, DelegationException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "runAs", new Object[]{str, str2, str3, str4});
        }
        if (!this.securityEnabled) {
            try {
                return privilegedExceptionAction.run();
            } catch (Exception e) {
                throw new PrivilegedActionException(e);
            }
        }
        try {
            boolean pushAppContext = SecurityObjectLocator.pushAppContext(str);
            Subject runAsSubject = getRunAsSubject(str, str2, str3, false, str4);
            if (runAsSubject == null) {
                throw new DelegationException("Unable to perform delegation using role " + str4);
            }
            Object runAsSpecified = this.contextManager.runAsSpecified(runAsSubject, privilegedExceptionAction);
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "runAs");
            }
            if (pushAppContext) {
                SecurityObjectLocator.popContext();
            }
            return runAsSpecified;
        } catch (Throwable th) {
            if (0 != 0) {
                SecurityObjectLocator.popContext();
            }
            throw th;
        }
    }

    private void doAudit(Subject subject, String str, String str2, String str3, String str4, String[] strArr, boolean z) {
        ContextHandler contextHandler = null;
        String lastTrailId = this.auditService.getLastTrailId();
        String[] eventTrailIds = this.auditService.getEventTrailIds();
        if (this.auditService != null) {
            contextHandler = this.auditService.getContextHandler();
            if (contextHandler == null) {
                return;
            }
        }
        if (z) {
            if (this.auditService.isEventRequired("SECURITY_AUTHZ", "DENIED")) {
                contextHandler.buildContextObject("SESSION_CONTEXT", DataHelper.buildSessionData((String) null, (String) null, (String) null, (String) null));
                String str5 = null;
                if (subject != null) {
                    str5 = ((Principal) subject.getPrincipals().toArray()[0]).getName();
                }
                contextHandler.buildContextObject("ACCESS_CONTEXT", DataHelper.buildAccessData(str.concat(":").concat(str2).concat(".").concat(str3), "authz", (String) null, str5, "authzDenied", str2, str4, new Long(0L), (String[]) null, (String[]) null, strArr, (String[]) null));
                contextHandler.buildContextObject("EVENT_CONTEXT", DataHelper.buildEventData(lastTrailId, eventTrailIds, new Date(), new Long(0L).longValue()));
                contextHandler.buildContextObject("PROPAGATION_CONTEXT", DataHelper.buildPropagationData(this.auditService.getFirstCaller(), this.auditService.getCallerList()));
                contextHandler.buildContextObject("PROCESS_CONTEXT", DataHelper.buildProcessData(this.auditService.getDomain(), this.default_realm));
                contextHandler.buildContextObject("REGISTRY_CONTEXT", DataHelper.buildRegistryData(DataHelper.convertRegistryInfoType(SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry().getType())));
                contextHandler.buildContextObject("AUTHN_PROVIDER_CONTEXT", DataHelper.buildProviderData(providerName, "providerSuccess"));
                contextHandler.buildContextObject("POLICY_CONTEXT", DataHelper.buildPolicyData((String) null, (String) null));
                try {
                    this.auditService.sendEvent("SECURITY_AUTHZ", DataHelper.buildOutcomeData("UNSUCCESSFUL", new Integer(-1), new Integer(-1), "DENIED", 16L));
                    return;
                } catch (ProviderFailureException e) {
                    Tr.error(tc, "security.audit.service.sendevent.error", new Object[]{e});
                    this.auditService.processAuditFailure("security.audit.service.sendevent.error", e);
                    return;
                }
            }
            return;
        }
        if (this.auditService.isEventRequired("SECURITY_AUTHZ", "SUCCESS")) {
            contextHandler.buildContextObject("SESSION_CONTEXT", DataHelper.buildSessionData((String) null, (String) null, (String) null, (String) null));
            String str6 = null;
            if (subject != null) {
                str6 = ((Principal) subject.getPrincipals().toArray()[0]).getName();
            }
            contextHandler.buildContextObject("ACCESS_CONTEXT", DataHelper.buildAccessData(str.concat(":").concat(str2).concat(".").concat(str3), "authz", (String) null, str6, "authzSuccess", str2, str4, new Long(0L), (String[]) null, (String[]) null, strArr, strArr));
            contextHandler.buildContextObject("EVENT_CONTEXT", DataHelper.buildEventData(lastTrailId, eventTrailIds, new Date(), new Long(0L).longValue()));
            contextHandler.buildContextObject("PROPAGATION_CONTEXT", DataHelper.buildPropagationData(this.auditService.getFirstCaller(), this.auditService.getCallerList()));
            contextHandler.buildContextObject("PROCESS_CONTEXT", DataHelper.buildProcessData(this.auditService.getDomain(), this.default_realm));
            contextHandler.buildContextObject("REGISTRY_CONTEXT", DataHelper.buildRegistryData(DataHelper.convertRegistryInfoType(SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry().getType())));
            contextHandler.buildContextObject("AUTHN_PROVIDER_CONTEXT", DataHelper.buildProviderData(providerName, "providerSuccess"));
            contextHandler.buildContextObject("POLICY_CONTEXT", DataHelper.buildPolicyData((String) null, (String) null));
            try {
                this.auditService.sendEvent("SECURITY_AUTHZ", DataHelper.buildOutcomeData("SUCCESSFUL", new Integer(0), new Integer(0), "SUCCESS", 8L));
            } catch (ProviderFailureException e2) {
                Tr.error(tc, "security.audit.service.sendevent.error", new Object[]{e2});
                this.auditService.processAuditFailure("security.audit.service.sendevent.error", e2);
            }
        }
    }

    public Subject getRunAsSubject(String str, String str2, final String str3, boolean z, String str4) throws DelegationException {
        final EJBKey eJBKey = null;
        final SCASecurityMethodInfo sCASecurityMethodInfo = new SCASecurityMethodInfo(str3, z, str4);
        final SecurityBeanCookie securityBeanCookie = new SecurityBeanCookie(str2, str, str3);
        final Subject subject = null;
        try {
            final Subject callerSubject = this.contextManager.getCallerSubject();
            try {
                return (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.container.security.AccessManagerImpl.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws CSIException {
                        return DelegationFactory.getDelegation().delegate(eJBKey, sCASecurityMethodInfo, subject, callerSubject, securityBeanCookie, str3);
                    }
                });
            } catch (PrivilegedActionException e) {
                Exception exception = e.getException();
                FFDCFilter.processException(exception, CLASSNAME + ".getRunAsSubject", "393", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error getting delegatedSubject");
                }
                throw new DelegationException("Error during delegation", exception);
            }
        } catch (WSSecurityException e2) {
            FFDCFilter.processException(e2, CLASSNAME + ".getRunAsSubject", "377", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error getting subjects", e2);
            }
            throw new DelegationException("Error getting subjects", e2);
        }
    }
}
