package com.ibm.ws.security.core;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.authorizer.AdminAuthorizer;
import com.ibm.ws.security.ejb.BeanAccessContext;
import com.ibm.ws.security.ejb.BeanAccessPermission;
import com.ibm.ws.security.ejb.BeanPermissionRoleMap;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.security.policy.EJBSecurityPolicy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.List;
import javax.security.auth.Subject;
import org.eclipse.emf.common.util.EList;
import org.eclipse.jst.j2ee.common.SecurityRole;
import org.eclipse.jst.j2ee.ejb.ExcludeList;

/* loaded from: input_file:com/ibm/ws/security/core/BaseAccessManager.class */
public abstract class BaseAccessManager implements AccessManager {
    private static TraceComponent tc = Tr.register(BaseAccessManager.class, (String) null, "com.ibm.ejs.resources.security");
    protected static List adminapps = null;
    protected AdminAuthorizer adminAuthorizer = null;

    @Override // com.ibm.ws.security.core.AccessManager
    public abstract boolean isGrantedRole(AccessContext accessContext, SecurityRole securityRole, Principal principal);

    @Override // com.ibm.ws.security.core.AccessManager
    public abstract boolean isEveryoneGranted(AccessContext accessContext, SecurityRole[] securityRoleArr);

    @Override // com.ibm.ws.security.core.AccessManager
    public abstract boolean isGrantedAnyRole(AccessContext accessContext, SecurityRole[] securityRoleArr, Subject subject);

    public SecurityRole[] getRequiredRoles(AccessContext accessContext, String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRequiredRoles" + accessContext.getEnterpriseAppName() + " " + str + " " + str2);
        }
        PermissionRoleMap permissionRoleMap = ((BeanAccessContext) accessContext).getPermissionRoleMap();
        BeanAccessPermission beanAccessPermission = new BeanAccessPermission(str, str2);
        SecurityRole[] securityRoleArr = null;
        if (permissionRoleMap != null) {
            securityRoleArr = permissionRoleMap.getRequiredRoles(accessContext, beanAccessPermission);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Returned PermissionRoleMap is null");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRequiredRoles", securityRoleArr);
        }
        return securityRoleArr;
    }

    public abstract boolean allowIfNoRequiredRoles();

    protected abstract AdminAuthorizer getAdminAuthorizer();

    public static boolean checkIfAdminApp(String str) {
        boolean z = adminapps != null && adminapps.contains(str);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkIfAdminApp", new Object[]{str, Boolean.valueOf(z)});
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String[] getNamesFromRoles(SecurityRole[] securityRoleArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getNamesFromRoles", securityRoleArr);
        }
        String[] strArr = new String[securityRoleArr == null ? 0 : securityRoleArr.length];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = securityRoleArr[i].getRoleName();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getNamesFromRoles", strArr);
        }
        return strArr;
    }

    @Override // com.ibm.ws.security.core.AccessManager
    public void checkAccess(final AccessContext accessContext, final Object obj, final Object obj2, final Subject subject) throws AccessException {
        PermissionRoleMap permissionRoleMap;
        if (tc.isEntryEnabled()) {
            AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.core.BaseAccessManager.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    Tr.entry(BaseAccessManager.tc, "checkAccess", new Object[]{accessContext, obj, obj2, subject});
                    return null;
                }
            });
        }
        String str = (String) obj;
        String str2 = (String) obj2;
        SecurityRole[] securityRoleArr = null;
        if ((accessContext instanceof BeanAccessContext) && ((BeanAccessContext) accessContext).getEJBSecurityPolicy() != null && (permissionRoleMap = ((BeanAccessContext) accessContext).getPermissionRoleMap()) != null) {
            securityRoleArr = permissionRoleMap.getRequiredRoles(accessContext, (String) null, (String) null);
        }
        if (securityRoleArr == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "checkAccess calling getRequiredRoles old path");
            }
            securityRoleArr = getRequiredRoles(accessContext, str, str2);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "checkAccess required roles", securityRoleArr);
        }
        if (securityRoleArr == null) {
            throw new AccessException("Null required roles");
        }
        if (isExcluded(accessContext, str, str2)) {
            throw new AccessException(str + ":" + str2 + " is excluded");
        }
        if (securityRoleArr == PermissionRoleMap.EMPTY_REQUIRED_ROLES) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Empty required roles list defined in Authorization Constraint for the web applicaiton in the DD");
            }
            throw new AccessException("Empty required roles list defined in Authorization Constraint");
        }
        if (securityRoleArr == PermissionRoleMap.NO_REQUIRED_ROLES) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "checkAccess no required roles declared");
            }
            if (!allowIfNoRequiredRoles()) {
                throw new AccessException("No required roles defined");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "checkAccess 1");
                return;
            }
            return;
        }
        if (accessContext != null && checkIfAdminApp(accessContext.getEnterpriseAppName())) {
            String[] namesFromRoles = getNamesFromRoles(securityRoleArr);
            if (getAdminAuthorizer() == null || this.adminAuthorizer.isGrantedRole(namesFromRoles, subject)) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "checkAccess 2");
                    return;
                }
                return;
            }
        } else if (isEveryoneGranted(accessContext, securityRoleArr)) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "checkAccess 3");
                return;
            }
            return;
        } else if (isGrantedAnyRole(accessContext, securityRoleArr, subject)) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "checkAccess 4");
                return;
            }
            return;
        }
        StringBuffer stringBuffer = new StringBuffer(128);
        stringBuffer.append(" is not granted any of the required roles: ");
        for (SecurityRole securityRole : securityRoleArr) {
            stringBuffer.append(securityRole.getRoleName()).append(" ");
        }
        String stringBuffer2 = stringBuffer.toString();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, stringBuffer2);
        }
        throw new AccessException(stringBuffer2);
    }

    public boolean isExcluded(AccessContext accessContext, String str, String str2) {
        boolean isDenyAll;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isExcluded", new Object[]{accessContext, str, str2});
        }
        if (!(accessContext instanceof BeanAccessContext)) {
            throw new IllegalArgumentException("AccessContext received is not a BeanAccessContext: " + accessContext);
        }
        EJBSecurityPolicy eJBSecurityPolicy = ((BeanAccessContext) accessContext).getEJBSecurityPolicy();
        if (eJBSecurityPolicy == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "isExcluded EJBSecurityPolicy is null, checking deployment descriptor.");
            }
            isDenyAll = isExcludedFromDD(accessContext, str, str2);
        } else {
            isDenyAll = eJBSecurityPolicy.isDenyAll();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isExcluded", Boolean.valueOf(isDenyAll));
        }
        return isDenyAll;
    }

    public boolean isExcludedFromDD(AccessContext accessContext, String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isExcludedFromDD", new Object[]{accessContext, str, str2});
        }
        BeanAccessContext beanAccessContext = (BeanAccessContext) accessContext;
        ExcludeList excludeList = null;
        if (beanAccessContext.getEjbJar() != null && beanAccessContext.getEjbJar().getAssemblyDescriptor() != null) {
            excludeList = beanAccessContext.getEjbJar().getAssemblyDescriptor().getExcludeList();
        }
        if (excludeList == null) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isExcludedFromDD - no exclude list, returning false");
            return false;
        }
        EList methodElements = excludeList.getMethodElements();
        String substring = str.substring(str.lastIndexOf(58) + 1);
        if (methodElements == null || methodElements.size() == 0 || !BeanPermissionRoleMap.findMatchingMethod(substring, str2, methodElements)) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isExcludedFromDD false");
            return false;
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "isExcludedFromDD true");
        return true;
    }
}
