package com.ibm.ws.soa.sca.security;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.csi.ExceptionType;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityContext;
import com.ibm.ws.soa.sca.common.runtime.SCAAuthorizationPolicy;
import com.ibm.ws.soa.sca.runtime.BaseSCAInboundInvocationExtension;
import com.ibm.ws.soa.sca.runtime.PreinvokeCookie;
import com.ibm.ws.soa.sca.runtime.SCAInvocationContext;
import com.ibm.wsspi.container.security.AccessException;
import com.ibm.wsspi.container.security.AccessManager;
import com.ibm.wsspi.container.security.AccessManagerFactory;
import com.ibm.wsspi.container.security.DelegationException;
import java.security.GeneralSecurityException;
import javax.security.auth.Subject;
import org.osoa.sca.ServiceRuntimeException;

/* loaded from: input_file:com/ibm/ws/soa/sca/security/SCASecurityInboundExtension.class */
public class SCASecurityInboundExtension extends BaseSCAInboundInvocationExtension {
    private static final String CLASSNAME = SCASecurityInboundExtension.class.getName();
    private static TraceComponent tc = Tr.register(SCASecurityInboundExtension.class, "Security", "com.ibm.ejs.resources.security");
    private boolean securityEnabled;
    private ContextManager contextManager;
    private AccessManager accessManager;

    public SCASecurityInboundExtension() {
        this.securityEnabled = false;
        if (SecurityContext.isSecurityEnabled()) {
            if (SecurityObjectLocator.getSecurityConfigManager().isMultiDomainDefined() || WSSecurityHelper.isServerSecurityEnabled()) {
                this.securityEnabled = true;
                this.contextManager = ContextManagerFactory.getInstance();
                this.accessManager = AccessManagerFactory.getAccessManager();
            }
        }
    }

    @Override // com.ibm.ws.soa.sca.runtime.SCAInboundInvocationExtension
    public PreinvokeCookie inboundPreinvoke(SCAInvocationContext sCAInvocationContext) throws ServiceRuntimeException {
        if (!this.securityEnabled) {
            return null;
        }
        String applicationName = sCAInvocationContext.getApplicationName();
        SCAAuthorizationPolicy sCAAuthorizationPolicy = sCAInvocationContext.getSCAAuthorizationPolicy();
        if (applicationName == null) {
            if (sCAAuthorizationPolicy == null) {
                return null;
            }
            throw new ServiceRuntimeException("Authorization policy is not supported for a composite deployed within a WAR file.");
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "inboundPreinvoke", new Object[]{sCAInvocationContext.getApplicationContext(), this});
        }
        boolean z = false;
        try {
            z = this.accessManager.pushApplicationContext(applicationName);
        } catch (Throwable th) {
            if (0 == 0) {
                this.accessManager.popApplicationContext(applicationName);
            }
            throw th;
        }
        if (!WSSecurityHelper.isServerSecurityEnabled()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "preInvoke", "app security is disabled.");
            }
            if (0 == 0 && z) {
                this.accessManager.popApplicationContext(applicationName);
            }
            return null;
        }
        try {
            Subject callerSubject = this.contextManager.getCallerSubject();
            Subject invocationSubject = this.contextManager.getInvocationSubject();
            Subject unauthenticatedSubjectIfNeeded = setUnauthenticatedSubjectIfNeeded(invocationSubject, callerSubject);
            if (unauthenticatedSubjectIfNeeded != null) {
                callerSubject = unauthenticatedSubjectIfNeeded;
            }
            String componentName = sCAInvocationContext.getComponentName();
            String operationName = sCAInvocationContext.getOperationName();
            Exception exc = null;
            try {
                this.accessManager.checkAccess(applicationName, componentName, operationName, "sca", sCAAuthorizationPolicy.getRolesAllowed(), sCAAuthorizationPolicy.isDenyAll(), sCAAuthorizationPolicy.isPermitAll(), callerSubject);
            } catch (AccessException e) {
                FFDCFilter.processException(e, CLASSNAME + ".inboundPreinvoke", "156", this);
                exc = e;
            }
            if (exc != null) {
                String str = "???";
                if (callerSubject != null) {
                    try {
                        str = SubjectHelper.getWSCredentialFromSubject(callerSubject).getRealmSecurityName();
                    } catch (GeneralSecurityException e2) {
                        FFDCFilter.processException(e2, CLASSNAME + ".inboundPreinvoke", "170", this);
                        throw new ServiceRuntimeException(e2.getMessage(), e2);
                    }
                }
                Tr.audit(tc, "security.authz.failed.foruser", new Object[]{str, "SCA component", componentName, operationName, exc.getMessage()});
                throw new ServiceRuntimeException(TraceNLS.getFormattedMessage("com.ibm.ejs.resources.security", "security.authz.failed.foruser", new Object[]{str, "SCA component", componentName, operationName, exc.getMessage()}, "Authorization.failed.for.{0}.while.invoking.({1}){2}.{3}: {4}"));
            }
            try {
                setSubjects(callerSubject, this.accessManager.getRunAsSubject(applicationName, componentName, operationName, sCAAuthorizationPolicy.isRunAsCallerIdentity(), sCAAuthorizationPolicy.getRunAsSpecifiedIdentity()));
                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                    Tr.exit(tc, "inboundPreinvoke", (Object) null);
                }
                SCASecurityCookie sCASecurityCookie = new SCASecurityCookie(callerSubject, invocationSubject);
                if (sCASecurityCookie == null && z) {
                    this.accessManager.popApplicationContext(applicationName);
                }
                return sCASecurityCookie;
            } catch (DelegationException e3) {
                FFDCFilter.processException(e3, CLASSNAME + ".inboundPreinvoke", "194", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error during delegation", e3);
                }
                throw new ServiceRuntimeException("Error during delegation", e3);
            }
        } catch (WSSecurityException e4) {
            FFDCFilter.processException(e4, CLASSNAME + ".inboundPreinvoke", "120", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error getting subjects", e4);
            }
            throw new ServiceRuntimeException("Error getting subjects", e4);
        }
        if (0 == 0 && z) {
            this.accessManager.popApplicationContext(applicationName);
        }
        throw th;
    }

    @Override // com.ibm.ws.soa.sca.runtime.SCAInboundInvocationExtension
    public void inboundPostinvoke(SCAInvocationContext sCAInvocationContext, PreinvokeCookie preinvokeCookie, ExceptionType exceptionType) throws ServiceRuntimeException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "inboundPostinvoke", new Object[]{sCAInvocationContext.getApplicationContext(), preinvokeCookie, this});
        }
        if (preinvokeCookie != null) {
            this.accessManager.popApplicationContext(sCAInvocationContext.getApplicationName());
            try {
                if (this.contextManager.getCallerSubject() != null) {
                    this.contextManager.setCallerSubject(((SCASecurityCookie) preinvokeCookie).getReceivedSubject());
                }
                this.contextManager.setInvocationSubject(((SCASecurityCookie) preinvokeCookie).getInvokedSubject());
            } catch (WSSecurityException e) {
                FFDCFilter.processException(e, CLASSNAME + ".postInvokeCommon", "235", this);
                throw new ServiceRuntimeException(e.getMessage(), e);
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "inboundPostinvoke", (Object) null);
        }
    }

    @Override // com.ibm.ws.soa.sca.runtime.BaseSCAInboundInvocationExtension, com.ibm.ws.soa.sca.runtime.SCAInboundInvocationExtension
    public void prepare(SCAInvocationContext sCAInvocationContext) {
    }

    private Subject setUnauthenticatedSubjectIfNeeded(Subject subject, Subject subject2) {
        Subject subject3 = subject;
        if (subject == null && subject2 == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Invoked and received Subject are null, setting it anonymous/unauthenticated.");
            }
            try {
                subject3 = SubjectHelper.createUnauthenticatedSubject();
                this.contextManager.setInvocationSubject(subject3);
            } catch (WSSecurityException e) {
                FFDCFilter.processException(e, CLASSNAME + ".setUnauthenticatedSubjectIfNeeded", "260", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "contextManager.setInvocationSubject() threw exception when setting invocation subject to unauthenticated. " + e);
                }
                throw new ServiceRuntimeException("Error setting invocation subject to unauthenticated", e);
            }
        }
        return subject3;
    }

    protected void setSubjects(Subject subject, Subject subject2) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "setSubjects", new Object[]{subject, subject2});
        }
        try {
            this.contextManager.setInvocationSubject(subject2);
            try {
                this.contextManager.setCallerSubject(subject);
                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                    Tr.exit(tc, "setSubjects");
                }
            } catch (WSSecurityException e) {
                FFDCFilter.processException(e, CLASSNAME + ".setSubjects", "287", this);
                throw new ServiceRuntimeException(e.getMessage(), e);
            }
        } catch (WSSecurityException e2) {
            FFDCFilter.processException(e2, CLASSNAME + ".setSubjects", "278", this);
            throw new ServiceRuntimeException(TraceNLS.getFormattedMessage("com.ibm.ejs.resources.security", "security.invalid.creds", (Object[]) null, "Invalid credentials"));
        }
    }
}
