package com.ibm.ws.security.javaeesec.identitystore;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.javaeesec.CDIHelper;
import com.ibm.ws.security.javaeesec.properties.ModulePropertiesUtils;
import java.lang.annotation.Annotation;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Default;
import javax.enterprise.inject.Instance;
import javax.enterprise.inject.spi.CDI;
import javax.security.enterprise.credential.Credential;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.IdentityStore;
import javax.security.enterprise.identitystore.IdentityStoreHandler;

@Default
@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@ApplicationScoped
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/javaeesec/identitystore/IdentityStoreHandlerImpl.class */
public class IdentityStoreHandlerImpl implements IdentityStoreHandler {
    private final ConcurrentHashMap<String, Set<IdentityStore>> identityStoreMap = new ConcurrentHashMap<>();
    static final long serialVersionUID = -5760572175591365065L;
    private static final TraceComponent tc = Tr.register(IdentityStoreHandlerImpl.class, "security", "com.ibm.ws.security.javaeesec.internal.resources.JavaEESecMessages");
    private static final Comparator<IdentityStore> priorityComparator = new Comparator<IdentityStore>() { // from class: com.ibm.ws.security.javaeesec.identitystore.IdentityStoreHandlerImpl.2
        static final long serialVersionUID = 881258636990031723L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass2.class, "security", "com.ibm.ws.security.javaeesec.internal.resources.JavaEESecMessages");

        @Override // java.util.Comparator
        public int compare(IdentityStore identityStore, IdentityStore identityStore2) {
            int i = 1;
            if (identityStore.equals(identityStore2)) {
                i = 0;
            } else if (identityStore.priority() < identityStore2.priority()) {
                i = -1;
            }
            if (IdentityStoreHandlerImpl.tc.isDebugEnabled()) {
                Tr.debug(IdentityStoreHandlerImpl.tc, "compare", new Object[]{identityStore, identityStore2, Integer.valueOf(i), this});
            }
            return i;
        }
    };

    public CredentialValidationResult validate(Credential credential) {
        return validate(getIdentityStores(this.identityStoreMap), credential);
    }

    public CredentialValidationResult validate(Set<IdentityStore> set, Credential credential) {
        CredentialValidationResult credentialValidationResult = null;
        CredentialValidationResult credentialValidationResult2 = CredentialValidationResult.NOT_VALIDATED_RESULT;
        boolean z = false;
        boolean z2 = false;
        if (!set.isEmpty()) {
            Iterator<IdentityStore> it = set.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                IdentityStore next = it.next();
                if (next.validationTypes().contains(IdentityStore.ValidationType.VALIDATE)) {
                    z2 = true;
                    credentialValidationResult2 = next.validate(credential);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "validation status : " + credentialValidationResult2.getStatus() + ", identityStore : " + next, new Object[0]);
                    }
                    if (credentialValidationResult2.getStatus() == CredentialValidationResult.Status.VALID) {
                        if (next.validationTypes().contains(IdentityStore.ValidationType.PROVIDE_GROUPS)) {
                            z = true;
                        }
                    } else if (credentialValidationResult2.getStatus() == CredentialValidationResult.Status.INVALID && credentialValidationResult == null) {
                        credentialValidationResult = credentialValidationResult2;
                    }
                }
            }
            if (credentialValidationResult2 != null && credentialValidationResult2.getStatus() == CredentialValidationResult.Status.VALID) {
                Set<String> groups = getGroups(set, credentialValidationResult2, z);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IdentityStore ID : " + credentialValidationResult2.getIdentityStoreId() + ", CallerPrincipal : " + (credentialValidationResult2.getCallerPrincipal() != null ? credentialValidationResult2.getCallerPrincipal().getName() : "null") + ", CallerDN : " + credentialValidationResult2.getCallerDn() + ", CallerUniqueId : " + credentialValidationResult2.getCallerUniqueId() + ", Groups : " + groups, new Object[0]);
                }
                credentialValidationResult2 = new CredentialValidationResult(credentialValidationResult2.getIdentityStoreId(), credentialValidationResult2.getCallerPrincipal(), credentialValidationResult2.getCallerDn(), credentialValidationResult2.getCallerUniqueId(), groups);
            } else if (credentialValidationResult != null) {
                credentialValidationResult2 = credentialValidationResult;
            } else if (!z2) {
                Tr.error(tc, "JAVAEESEC_ERROR_NO_VALIDATION", new Object[0]);
                credentialValidationResult2 = CredentialValidationResult.NOT_VALIDATED_RESULT;
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No IdentityStore bean is registered.", new Object[0]);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "validation status : " + credentialValidationResult2.getStatus(), new Object[0]);
        }
        return credentialValidationResult2;
    }

    protected Set<String> getGroups(Set<IdentityStore> set, CredentialValidationResult credentialValidationResult, boolean z) {
        Set callerGroups;
        HashSet hashSet = new HashSet();
        if (z && (callerGroups = credentialValidationResult.getCallerGroups()) != null && !callerGroups.isEmpty()) {
            hashSet.addAll(callerGroups);
        }
        for (IdentityStore identityStore : set) {
            Set validationTypes = identityStore.validationTypes();
            if (validationTypes != null) {
                boolean contains = validationTypes.contains(IdentityStore.ValidationType.PROVIDE_GROUPS);
                boolean contains2 = validationTypes.contains(IdentityStore.ValidationType.VALIDATE);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IdentityStore : " + identityStore + ", PROVIDE_GROUPS : " + contains + ", VALIDATE : " + contains2, new Object[0]);
                }
                if (contains && !contains2) {
                    Set<String> groups = getGroups(identityStore, credentialValidationResult);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "IdentityStore : " + identityStore + ", groups : " + groups, new Object[0]);
                    }
                    if (groups != null && !groups.isEmpty()) {
                        hashSet.addAll(groups);
                    }
                }
            }
        }
        return hashSet;
    }

    private Set<String> getGroups(final IdentityStore identityStore, final CredentialValidationResult credentialValidationResult) {
        return (Set) AccessController.doPrivileged(new PrivilegedAction<Set<String>>() { // from class: com.ibm.ws.security.javaeesec.identitystore.IdentityStoreHandlerImpl.1
            static final long serialVersionUID = 2582177789860945714L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class, "security", "com.ibm.ws.security.javaeesec.internal.resources.JavaEESecMessages");

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Set<String> run() {
                return identityStore.getCallerGroups(credentialValidationResult);
            }
        });
    }

    protected CDI<Object> getCDI() {
        return CDI.current();
    }

    protected Set<IdentityStore> getIdentityStores(ConcurrentHashMap<String, Set<IdentityStore>> concurrentHashMap) {
        String moduleName = getModuleName();
        Set<IdentityStore> set = concurrentHashMap.get(moduleName);
        if (set == null) {
            set = new TreeSet((Comparator<? super IdentityStore>) priorityComparator);
            scanIdentityStores(set);
            concurrentHashMap.put(moduleName, set);
        } else if (set.size() > 1) {
            set = new TreeSet((Comparator<? super IdentityStore>) priorityComparator);
            set.addAll(set);
        }
        return set;
    }

    protected void scanIdentityStores(Set<IdentityStore> set) {
        CDI<Object> cdi = getCDI();
        Instance<IdentityStore> select = cdi.select(IdentityStore.class, new Annotation[0]);
        if (select != null) {
            for (IdentityStore identityStore : select) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IdentityStore from the CDI: " + identityStore + ", validationTypes : " + identityStore.validationTypes() + ", priority : " + identityStore.priority(), new Object[0]);
                }
                set.add(identityStore);
            }
        }
        if (!cdi.getBeanManager().equals(CDIHelper.getBeanManager())) {
            for (IdentityStore identityStore2 : CDIHelper.getBeansFromCurrentModule(IdentityStore.class)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IdentityStore from module BeanManager: " + identityStore2 + ", validationTypes : " + identityStore2.validationTypes() + ", priority : " + identityStore2.priority(), new Object[0]);
                }
                set.add(identityStore2);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Number of identityStore : " + set.size(), new Object[0]);
        }
    }

    protected String getModuleName() {
        return ModulePropertiesUtils.getInstance().getJ2EEModuleName();
    }

    protected void clearIdentityStoreMap() {
        this.identityStoreMap.clear();
    }
}
