package com.ibm.ws.eba.blueprint.security;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.eba.blueprint.extensions.interceptors.InterceptorFactory;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.wsspi.aries.application.metadata.ApplicationMetadataFactory;
import com.ibm.wsspi.aries.application.metadata.WASApplicationSecurityRoleMappingMetadata;
import com.ibm.wsspi.aries.utils.AriesRuntimeUtils;
import com.ibm.wsspi.eba.app.framework.DeployedApplicationMetadata;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import org.apache.aries.blueprint.Interceptor;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.service.blueprint.reflect.ComponentMetadata;

/* loaded from: input_file:com/ibm/ws/eba/blueprint/security/BlueprintSecurityInterceptor.class */
public class BlueprintSecurityInterceptor implements Interceptor, InterceptorFactory, SecurityRoleManager {
    private String appConfigPath;
    private Bundle bundle;
    private final Pattern groupPattern;
    private static final TraceComponent tc = Tr.register(BlueprintSecurityInterceptor.class, SecurityConstants.TRACE_GROUP, SecurityConstants.RESOURCE_BUNDLE);
    private static final Map<ComponentMetadata, String> roles = Collections.synchronizedMap(new WeakHashMap());
    private static final Map<ComponentMetadata, Map<String, String>> roleMap = Collections.synchronizedMap(new WeakHashMap());
    private static TraceNLS TRACE_NLS = TraceNLS.getTraceNLS(SecurityConstants.RESOURCE_BUNDLE);

    public BlueprintSecurityInterceptor() {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>", new Object[0]);
        }
        this.groupPattern = Pattern.compile(".*cn=(.*),.*");
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "<init>");
        }
    }

    public BlueprintSecurityInterceptor(Bundle bundle, String str) throws BlueprintInterceptorException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>", new Object[]{bundle, str});
        }
        this.groupPattern = Pattern.compile(".*cn=(.*),.*");
        this.bundle = bundle;
        this.appConfigPath = str;
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "<init>");
        }
    }

    public int getRank() {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "getRank", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "getRank", Integer.MAX_VALUE);
        }
        return Integer.MAX_VALUE;
    }

    public Object preCall(ComponentMetadata componentMetadata, Method method, Object... objArr) throws Throwable {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "preCall", new Object[]{componentMetadata, method, objArr});
        }
        String methodRole = getMethodRole(componentMetadata, method.getName());
        if (methodRole != null) {
            AccessController.doPrivileged(new PrivilegedExceptionAction<Boolean>(this, methodRole) { // from class: com.ibm.ws.eba.blueprint.security.BlueprintSecurityInterceptor.1
                final /* synthetic */ String val$role;
                final /* synthetic */ BlueprintSecurityInterceptor this$0;

                {
                    if (TraceComponent.isAnyTracingEnabled() && BlueprintSecurityInterceptor.tc.isEntryEnabled()) {
                        Tr.entry(BlueprintSecurityInterceptor.tc, "<init>", new Object[]{this, methodRole});
                    }
                    this.this$0 = this;
                    this.val$role = methodRole;
                    if (TraceComponent.isAnyTracingEnabled() && BlueprintSecurityInterceptor.tc.isEntryEnabled()) {
                        Tr.exit(BlueprintSecurityInterceptor.tc, "<init>");
                    }
                }

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Boolean run() throws Exception {
                    if (TraceComponent.isAnyTracingEnabled() && BlueprintSecurityInterceptor.tc.isEntryEnabled()) {
                        Tr.entry(this, BlueprintSecurityInterceptor.tc, "run", new Object[0]);
                    }
                    boolean z = false;
                    Subject runAsSubject = WSSubject.getRunAsSubject();
                    WASApplicationSecurityRoleMappingMetadata securityMappingMetadata = AriesRuntimeUtils.getApplicationSecurityManager((BundleContext) null).getSecurityMappingMetadata(this.this$0.appConfigPath);
                    String appRealm = ContextManagerFactory.getInstance().getAppRealm();
                    boolean isServerSecurityEnabled = ContextManagerFactory.getInstance().isServerSecurityEnabled();
                    UserRegistry registry = ContextManagerFactory.getInstance().getRegistry(appRealm);
                    if (runAsSubject == null || registry == null || !isServerSecurityEnabled) {
                        z = true;
                    } else {
                        try {
                            if (securityMappingMetadata.isApplicationRoleMapped(this.val$role)) {
                                Iterator<Principal> it = runAsSubject.getPrincipals().iterator();
                                while (true) {
                                    if (!it.hasNext()) {
                                        break;
                                    }
                                    String name = it.next().getName();
                                    String substring = name.substring(name.indexOf(47) + 1);
                                    String substring2 = name.substring(0, name.indexOf(47));
                                    if (!securityMappingMetadata.getUsersMappedToModuleRole(this.val$role, this.this$0.bundle.getSymbolicName()).contains(substring)) {
                                        Set groupsMappedToModuleRole = securityMappingMetadata.getGroupsMappedToModuleRole(this.val$role, this.this$0.bundle.getSymbolicName());
                                        Iterator it2 = runAsSubject.getPublicCredentials(WSCredential.class).iterator();
                                        while (it2.hasNext()) {
                                            Iterator it3 = ((WSCredential) it2.next()).getGroupIds().iterator();
                                            while (it3.hasNext()) {
                                                Object next = it3.next();
                                                if (next instanceof String) {
                                                    Matcher matcher = this.this$0.groupPattern.matcher((String) next);
                                                    matcher.find();
                                                    Iterator it4 = groupsMappedToModuleRole.iterator();
                                                    while (true) {
                                                        if (!it4.hasNext()) {
                                                            break;
                                                        }
                                                        if (((String) it4.next()).equals(matcher.group(1))) {
                                                            z = true;
                                                            break;
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                        String specialSubjectMappedToModuleRole = securityMappingMetadata.getSpecialSubjectMappedToModuleRole(this.val$role, this.this$0.bundle.getSymbolicName());
                                        if (!"roles.subject.Everyone".equals(specialSubjectMappedToModuleRole) && !"roles.subject.AllAuthTrustedRealms".equals(specialSubjectMappedToModuleRole)) {
                                            if ("roles.subject.AllAuthAppRealm".equals(specialSubjectMappedToModuleRole) && registry.getRealm().equals(substring2)) {
                                                z = true;
                                                break;
                                            }
                                        } else {
                                            break;
                                        }
                                    } else {
                                        z = true;
                                        break;
                                    }
                                }
                                z = true;
                            }
                        } catch (Throwable th) {
                            FFDCFilter.processException(th, BlueprintSecurityInterceptor.class.getName(), "190", this);
                            z = false;
                        }
                    }
                    if (z) {
                        Boolean valueOf = Boolean.valueOf(z);
                        if (TraceComponent.isAnyTracingEnabled() && BlueprintSecurityInterceptor.tc.isEntryEnabled()) {
                            Tr.exit(this, BlueprintSecurityInterceptor.tc, "run", valueOf);
                        }
                        return valueOf;
                    }
                    SecurityException securityException = new SecurityException(BlueprintSecurityInterceptor.TRACE_NLS.getFormattedMessage("SECURITYMSGS1001E", new Object[]{this}, (String) null));
                    if (!TraceComponent.isAnyTracingEnabled()) {
                        throw securityException;
                    }
                    if (!BlueprintSecurityInterceptor.tc.isEntryEnabled()) {
                        throw securityException;
                    }
                    Tr.exit(this, BlueprintSecurityInterceptor.tc, "run", securityException);
                    throw securityException;
                }
            });
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "preCall", componentMetadata);
        }
        return componentMetadata;
    }

    @Override // com.ibm.ws.eba.blueprint.security.SecurityRoleManager
    public synchronized void setRole(ComponentMetadata componentMetadata, String str) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "setRole", new Object[]{componentMetadata, str});
        }
        roles.put(componentMetadata, str);
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "setRole");
        }
    }

    @Override // com.ibm.ws.eba.blueprint.security.SecurityRoleManager
    public synchronized String getRole(ComponentMetadata componentMetadata) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "getRole", new Object[]{componentMetadata});
        }
        String str = roles.get(componentMetadata);
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "getRole", str);
        }
        return str;
    }

    @Override // com.ibm.ws.eba.blueprint.security.SecurityRoleManager
    public void setMethodRole(ComponentMetadata componentMetadata, String str, String str2) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "setMethodRole", new Object[]{componentMetadata, str, str2});
        }
        Map<String, String> map = roleMap.get(componentMetadata);
        if (map == null) {
            map = Collections.synchronizedMap(new WeakHashMap());
            roleMap.put(componentMetadata, map);
        }
        map.put(str, str2);
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "setMethodRole");
        }
    }

    @Override // com.ibm.ws.eba.blueprint.security.SecurityRoleManager
    public String getMethodRole(ComponentMetadata componentMetadata, String str) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "getMethodRole", new Object[]{componentMetadata, str});
        }
        String str2 = null;
        Map<String, String> map = roleMap.get(componentMetadata);
        if (map != null) {
            str2 = map.get(str);
        }
        if (str2 == null) {
            str2 = getRole(componentMetadata);
        }
        String str3 = str2;
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "getMethodRole", str3);
        }
        return str3;
    }

    public void postCallWithException(ComponentMetadata componentMetadata, Method method, Throwable th, Object obj) throws Throwable {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "postCallWithException", new Object[]{componentMetadata, method, th, obj});
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "postCallWithException");
        }
    }

    public void postCallWithReturn(ComponentMetadata componentMetadata, Method method, Object obj, Object obj2) throws Throwable {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "postCallWithReturn", new Object[]{componentMetadata, method, obj, obj2});
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "postCallWithReturn");
        }
    }

    public Interceptor createInterceptor(Bundle bundle) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "createInterceptor", new Object[]{bundle});
        }
        BlueprintSecurityInterceptor blueprintSecurityInterceptor = null;
        try {
            DeployedApplicationMetadata matchingAppMetadata = getMatchingAppMetadata(bundle);
            if (matchingAppMetadata != null) {
                blueprintSecurityInterceptor = new BlueprintSecurityInterceptor(bundle, matchingAppMetadata.getConfigLocation());
            }
        } catch (BlueprintInterceptorException e) {
            FFDCFilter.processException(e, BlueprintSecurityInterceptor.class.getName(), "242", this);
        }
        BlueprintSecurityInterceptor blueprintSecurityInterceptor2 = blueprintSecurityInterceptor;
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "createInterceptor", blueprintSecurityInterceptor2);
        }
        return blueprintSecurityInterceptor2;
    }

    private static DeployedApplicationMetadata getMatchingAppMetadata(Bundle bundle) throws BlueprintInterceptorException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "getMatchingAppMetadata", new Object[]{bundle});
        }
        DeployedApplicationMetadata findAppMetadataForBundle = ApplicationMetadataFactory.findAppMetadataForBundle(bundle);
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "getMatchingAppMetadata", findAppMetadataForBundle);
        }
        return findAppMetadataForBundle;
    }
}
