package com.ibm.ws.ejbcontainer.security.internal.jacc;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.audit.AuditAuthResult;
import com.ibm.websphere.security.audit.AuditAuthenticationResult;
import com.ibm.websphere.security.audit.context.AuditManager;
import com.ibm.ws.ejbcontainer.EJBComponentMetaData;
import com.ibm.ws.ejbcontainer.EJBMethodMetaData;
import com.ibm.ws.ejbcontainer.EJBRequestData;
import com.ibm.ws.ejbcontainer.security.internal.EJBAccessDeniedException;
import com.ibm.ws.ejbcontainer.security.internal.EJBAuthorizationHelper;
import com.ibm.ws.ejbcontainer.security.internal.TraceConstants;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.audit.Audit;
import com.ibm.ws.security.authentication.principals.WSPrincipal;
import com.ibm.ws.security.authorization.jacc.JaccService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ejb.EnterpriseBean;
import javax.security.auth.Subject;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/ejbcontainer/security/internal/jacc/EJBJaccAuthorizationHelper.class */
public class EJBJaccAuthorizationHelper implements EJBAuthorizationHelper {
    private static final TraceComponent tc = Tr.register(EJBJaccAuthorizationHelper.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private AtomicServiceReference<JaccService> jaccServiceRef;
    protected AuditManager auditManager;
    static final long serialVersionUID = 5154708532768744635L;

    public EJBJaccAuthorizationHelper(AtomicServiceReference<JaccService> atomicServiceReference) {
        this.jaccServiceRef = null;
        this.jaccServiceRef = atomicServiceReference;
    }

    public void populateAuditEJBHashMap(EJBRequestData eJBRequestData, Map<String, Object> map) {
        EJBMethodMetaData eJBMethodMetaData = eJBRequestData.getEJBMethodMetaData();
        Object[] methodArguments = eJBRequestData.getMethodArguments();
        Object application = eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getApplication();
        Object module = eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getModule();
        Object methodName = eJBMethodMetaData.getMethodName();
        Object specName = eJBMethodMetaData.getEJBMethodInterface().specName();
        Object methodSignature = eJBMethodMetaData.getMethodSignature();
        Object component = eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getComponent();
        Object obj = null;
        if (methodArguments != null && methodArguments.length > 0) {
            obj = Arrays.asList(methodArguments);
        }
        map.put("methodArguments", methodArguments);
        map.put("applicationName", application);
        map.put("moduleName", module);
        map.put("methodName", methodName);
        map.put("methodInterface", specName);
        map.put("methodSignature", methodSignature);
        map.put("beanName", component);
        map.put("methodParameters", obj);
    }

    @Override // com.ibm.ws.ejbcontainer.security.internal.EJBAuthorizationHelper
    public void authorizeEJB(EJBRequestData eJBRequestData, Subject subject) throws EJBAccessDeniedException {
        this.auditManager = new AuditManager();
        Object httpServletRequest = this.auditManager.getHttpServletRequest();
        Object webRequest = this.auditManager.getWebRequest();
        String realm = this.auditManager.getRealm();
        EJBMethodMetaData eJBMethodMetaData = eJBRequestData.getEJBMethodMetaData();
        Object[] methodArguments = eJBRequestData.getMethodArguments();
        String application = eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getApplication();
        String module = eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getModule();
        String methodName = eJBMethodMetaData.getMethodName();
        String specName = eJBMethodMetaData.getEJBMethodInterface().specName();
        String methodSignature = eJBMethodMetaData.getMethodSignature();
        String component = eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getComponent();
        List list = null;
        HashMap hashMap = new HashMap();
        populateAuditEJBHashMap(eJBRequestData, hashMap);
        Object beanInstance = eJBRequestData.getBeanInstance();
        EnterpriseBean enterpriseBean = null;
        if (beanInstance instanceof EnterpriseBean) {
            enterpriseBean = (EnterpriseBean) beanInstance;
        }
        if (methodArguments != null && methodArguments.length > 0) {
            list = Arrays.asList(methodArguments);
        }
        boolean isAuthorized = ((JaccService) this.jaccServiceRef.getService()).isAuthorized(application, module, component, methodName, specName, methodSignature, list, enterpriseBean, subject);
        String name = ((WSPrincipal) subject.getPrincipals(WSPrincipal.class).iterator().next()).getName();
        if (isAuthorized) {
            Audit.audit(Audit.EventID.SECURITY_AUTHZ_03, new Object[]{new AuditAuthenticationResult(AuditAuthResult.SUCCESS, name, "BASIC", (String) null, "success"), hashMap, httpServletRequest, webRequest, realm, subject, Integer.valueOf("200")});
        } else {
            Tr.audit(tc, "EJB_JACC_AUTHZ_FAILED", new Object[]{name, methodName, application});
            Audit.audit(Audit.EventID.SECURITY_AUTHZ_03, new Object[]{new AuditAuthenticationResult(AuditAuthResult.FAILURE, name, "BASIC", (String) null, "failure"), hashMap, httpServletRequest, webRequest, realm, subject, Integer.valueOf("403")});
            throw new EJBAccessDeniedException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "EJB_JACC_AUTHZ_FAILED", new Object[]{name, methodName, application}, "CWWKS9406A: Authorization by the JACC provider failed. The user is not granted access to any of the required roles."));
        }
    }

    @Override // com.ibm.ws.ejbcontainer.security.internal.EJBAuthorizationHelper
    public boolean isCallerInRole(EJBComponentMetaData eJBComponentMetaData, EJBRequestData eJBRequestData, String str, String str2, Subject subject) {
        String application = eJBComponentMetaData.getJ2EEName().getApplication();
        String module = eJBComponentMetaData.getJ2EEName().getModule();
        String component = eJBComponentMetaData.getJ2EEName().getComponent();
        String methodName = eJBRequestData.getEJBMethodMetaData().getMethodName();
        Object[] methodArguments = eJBRequestData.getMethodArguments();
        List list = null;
        if (methodArguments != null && methodArguments.length > 0) {
            list = Arrays.asList(methodArguments);
        }
        EnterpriseBean enterpriseBean = null;
        if (eJBRequestData.getBeanInstance() instanceof EnterpriseBean) {
            enterpriseBean = (EnterpriseBean) eJBRequestData.getBeanInstance();
        }
        return ((JaccService) this.jaccServiceRef.getService()).isSubjectInRole(application, module, component, methodName, list, str, enterpriseBean, subject);
    }
}
