package com.ibm.ws.security.registry.basic.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.crypto.PasswordUtil;
import com.ibm.websphere.ras.ProtectedString;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.CertificateMapFailedException;
import com.ibm.websphere.security.CertificateMapNotSupportedException;
import com.ibm.websphere.security.X509CertificateMapper;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.registry.CustomRegistryException;
import com.ibm.ws.security.registry.EntryNotFoundException;
import com.ibm.ws.security.registry.LDAPUtils;
import com.ibm.ws.security.registry.NotImplementedException;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.SearchResult;
import com.ibm.ws.security.registry.UserRegistry;
import java.rmi.RemoteException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.felix.scr.ext.annotation.DSExt;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(configurationPid = {"com.ibm.ws.security.registry.basic.config"}, configurationPolicy = ConfigurationPolicy.REQUIRE, property = {"service.vendor=IBM", "com.ibm.ws.security.registry.type=Basic"})
@DSExt.ConfigureWithInterfaces
/* loaded from: input_file:com/ibm/ws/security/registry/basic/internal/BasicRegistry.class */
public class BasicRegistry implements UserRegistry {
    private static final TraceComponent tc = Tr.register(BasicRegistry.class);
    protected static final String DEFAULT_REALM_NAME = "BasicRegistry";
    static final String TYPE = "Basic";
    private volatile State state;
    private String certificateMapMode = null;
    private final AtomicReference<X509CertificateMapper> iCertificateMapperRef = new AtomicReference<>();
    static final long serialVersionUID = 2804906874371582872L;

    /* JADX INFO: Access modifiers changed from: private */
    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    /* loaded from: input_file:com/ibm/ws/security/registry/basic/internal/BasicRegistry$State.class */
    public class State {
        final String realm;
        final boolean ignoreCaseForAuthentication;
        final Map<String, BasicPassword> users;
        final Map<String, List<String>> groups;
        static final long serialVersionUID = 5710178692591493678L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(State.class);

        public State(String str, boolean z, Map<String, BasicPassword> map, Map<String, List<String>> map2) {
            this.realm = str;
            this.ignoreCaseForAuthentication = z;
            this.users = map;
            this.groups = map2;
        }
    }

    @Activate
    @Modified
    protected void activate(BasicRegistryConfig basicRegistryConfig) {
        Map<String, BasicPassword> users = users(basicRegistryConfig.user());
        this.state = new State(basicRegistryConfig.realm(), basicRegistryConfig.ignoreCaseForAuthentication(), users, group(basicRegistryConfig.group(), users));
        if (this.state.users.isEmpty()) {
            Tr.warning(tc, "BASIC_REGISTRY_NO_USERS_DEFINED", new Object[]{basicRegistryConfig.config_id()});
        }
        this.certificateMapMode = basicRegistryConfig.certificateMapMode();
    }

    private static Map<String, BasicPassword> users(User[] userArr) {
        HashSet hashSet = new HashSet();
        HashMap hashMap = new HashMap(userArr.length);
        for (User user : userArr) {
            String trim = user.name().trim();
            if (trim.isEmpty()) {
                Tr.error(tc, "BASIC_REGISTRY_INVALID_USER_DEFINITION", new Object[]{TraceNLS.getStringFromBundle(BasicRegistry.class, "com.ibm.ws.security.registry.basic.internal.resources.LoggingMessages", "USER_MUST_DEFINE_NAME", "A user element must define a name.")});
            } else if (hashMap.containsKey(trim) || hashSet.contains(trim)) {
                hashSet.add(trim);
                hashMap.remove(trim);
                Tr.error(tc, "BASIC_REGISTRY_SAME_USER_DEFINITION", new Object[]{trim});
            } else {
                String trim2 = new String(user.password().getChars()).trim();
                if (trim2.isEmpty()) {
                    hashSet.add(trim);
                    Tr.error(tc, "BASIC_REGISTRY_INVALID_USER_DEFINITION", new Object[]{TraceNLS.getFormattedMessage(BasicRegistry.class, "com.ibm.ws.security.registry.basic.internal.resources.LoggingMessages", "USER_MUST_DEFINE_PASSWORD", new Object[]{trim}, "The user element with name ''{0}'' must define a password.")});
                } else {
                    boolean isHashed = PasswordUtil.isHashed(trim2);
                    if (!isHashed) {
                        trim2 = PasswordUtil.passwordDecode(trim2);
                    }
                    hashMap.put(trim, new BasicPassword(trim2, isHashed));
                }
            }
        }
        return hashMap;
    }

    private static Map<String, List<String>> group(Group[] groupArr, Map<String, BasicPassword> map) {
        HashSet hashSet = new HashSet();
        HashMap hashMap = new HashMap(groupArr.length);
        for (Group group : groupArr) {
            String trim = group.name().trim();
            if (trim.isEmpty()) {
                Tr.error(tc, "BASIC_REGISTRY_INVALID_GROUP_DEFINITION", new Object[]{TraceNLS.getStringFromBundle(BasicRegistry.class, "com.ibm.ws.security.registry.basic.internal.resources.LoggingMessages", "GROUP_MUST_DEFINE_NAME", "A group element must define a name.")});
            } else if (hashMap.containsKey(trim) || hashSet.contains(trim)) {
                hashSet.add(trim);
                hashMap.remove(trim);
                Tr.error(tc, "BASIC_REGISTRY_SAME_GROUP_DEFINITION", new Object[]{trim});
            } else {
                ArrayList arrayList = new ArrayList(group.member().length);
                for (Member member : group.member()) {
                    String trim2 = member.name().trim();
                    if (trim2.isEmpty()) {
                        Tr.error(tc, "BASIC_REGISTRY_INVALID_MEMBER_DEFINITION", new Object[]{TraceNLS.getStringFromBundle(BasicRegistry.class, "com.ibm.ws.security.registry.basic.internal.resources.LoggingMessages", "MEMBER_MUST_DEFINE_NAME", "A member element must define a name.")});
                    } else if (arrayList.contains(trim2)) {
                        Tr.warning(tc, "BASIC_REGISTRY_SAME_MEMBER_DEFINITION", new Object[]{trim2, trim});
                    } else {
                        arrayList.add(trim2);
                        if (!map.containsKey(trim2)) {
                            Tr.warning(tc, "BASIC_REGISTRY_UNKNOWN_MEMBER_DEFINITION", new Object[]{trim2, trim});
                        }
                    }
                }
                hashMap.put(trim, arrayList);
            }
        }
        return hashMap;
    }

    @Deactivate
    protected void deactivate() {
        this.state = null;
    }

    public String getRealm() {
        return this.state.realm;
    }

    public String checkPassword(String str, @Sensitive String str2) throws RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("userSecurityName is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("userSecurityName is an empty String");
        }
        if (str2 == null) {
            throw new IllegalArgumentException("password is null");
        }
        if (str2.trim().isEmpty()) {
            throw new IllegalArgumentException("password is an empty String");
        }
        boolean z = false;
        BasicPassword basicPassword = null;
        if (this.state.ignoreCaseForAuthentication) {
            for (Map.Entry<String, BasicPassword> entry : this.state.users.entrySet()) {
                if (entry.getKey().equalsIgnoreCase(str)) {
                    basicPassword = entry.getValue();
                }
            }
        } else {
            basicPassword = this.state.users.get(str);
        }
        if (basicPassword != null) {
            if (basicPassword.isHashed()) {
                String hashedPassword = basicPassword.getHashedPassword();
                if (hashedPassword != null) {
                    HashMap hashMap = new HashMap();
                    hashMap.put("hash.encoded", hashedPassword);
                    try {
                        if (hashedPassword.equals(PasswordUtil.encode(str2, PasswordUtil.getCryptoAlgorithm(hashedPassword), hashMap))) {
                            z = true;
                        }
                    } catch (Exception e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.registry.basic.internal.BasicRegistry", "336", this, new Object[]{str, "<sensitive java.lang.String>"});
                        throw new IllegalArgumentException("password encoding failure : " + e.getMessage());
                    }
                }
            } else {
                ProtectedString protectedString = new ProtectedString(str2.toCharArray());
                ProtectedString password = basicPassword.getPassword();
                if (password != null && password.equals(protectedString)) {
                    z = true;
                }
            }
        }
        if (z) {
            return str;
        }
        return null;
    }

    @FFDCIgnore({CertificateMapNotSupportedException.class, CertificateMapFailedException.class})
    public String mapCertificate(X509Certificate[] x509CertificateArr) throws com.ibm.ws.security.registry.CertificateMapNotSupportedException, com.ibm.ws.security.registry.CertificateMapFailedException, RegistryException {
        if (BasicRegistryConfig.MAP_MODE_NOT_SUPPORTED.equalsIgnoreCase(this.certificateMapMode)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Certificate authentication has been disabled for this basic registry.", new Object[0]);
            }
            throw new com.ibm.ws.security.registry.CertificateMapNotSupportedException(Tr.formatMessage(tc, "BASIC_REGISTRY_CERT_IGNORED", new Object[0]));
        }
        if (!BasicRegistryConfig.MAP_MODE_CUSTOM.equalsIgnoreCase(this.certificateMapMode)) {
            if (x509CertificateArr == null || x509CertificateArr.length == 0 || x509CertificateArr[0] == null) {
                throw new IllegalArgumentException("cert is null");
            }
            String name = x509CertificateArr[0].getSubjectX500Principal().getName();
            String cNFromDN = LDAPUtils.getCNFromDN(name);
            if (cNFromDN == null || !isValidUser(cNFromDN)) {
                throw new com.ibm.ws.security.registry.CertificateMapFailedException(Tr.formatMessage(tc, "BASIC_REGISTRY_NAME_NOT_FOUND", new Object[]{name}));
            }
            return cNFromDN;
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("cert is null");
        }
        try {
            X509CertificateMapper x509CertificateMapper = this.iCertificateMapperRef.get();
            if (x509CertificateMapper == null) {
                throw new com.ibm.ws.security.registry.CertificateMapFailedException(Tr.formatMessage(tc, "BASIC_REGISTRY_MAPPER_NOT_BOUND", new Object[0]));
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Using custom X.509 certificate mapper: " + x509CertificateMapper.getClass(), new Object[0]);
            }
            String mapCertificate = x509CertificateMapper.mapCertificate(x509CertificateArr);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The custom X.509 certificate mapper returned the following mapping: " + mapCertificate, new Object[0]);
            }
            if (mapCertificate == null || !isValidUser(mapCertificate)) {
                throw new com.ibm.ws.security.registry.CertificateMapFailedException(Tr.formatMessage(tc, "BASIC_REGISTRY_MAPPED_NAME_NOT_FOUND", new Object[]{mapCertificate}));
            }
            return mapCertificate;
        } catch (CertificateMapFailedException e) {
            throw new com.ibm.ws.security.registry.CertificateMapFailedException(Tr.formatMessage(tc, "BASIC_REGISTRY_CUSTOM_MAPPER_FAILED", new Object[0]), e);
        } catch (CertificateMapNotSupportedException e2) {
            throw new com.ibm.ws.security.registry.CertificateMapNotSupportedException(Tr.formatMessage(tc, "BASIC_REGISTRY_CUSTOM_MAPPER_NOT_SUPPORTED", new Object[0]), e2);
        }
    }

    public boolean isValidUser(String str) throws RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("userSecurityName is null");
        }
        String trim = str.trim();
        if (trim.isEmpty()) {
            throw new IllegalArgumentException("userSecurityName is an empty String");
        }
        if (!this.state.ignoreCaseForAuthentication) {
            return this.state.users.containsKey(trim);
        }
        Iterator<Map.Entry<String, BasicPassword>> it = this.state.users.entrySet().iterator();
        while (it.hasNext()) {
            if (it.next().getKey().equalsIgnoreCase(str)) {
                return true;
            }
        }
        return false;
    }

    public SearchResult getUsers(String str, int i) throws RegistryException {
        return searchMap(this.state.users, str, i);
    }

    private String convertToRegex(String str) {
        return str.replace("*", ".*");
    }

    private SearchResult searchMap(Map<String, ?> map, String str, int i) {
        if (str == null) {
            throw new IllegalArgumentException("pattern is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("pattern is an empty String");
        }
        String convertToRegex = convertToRegex(str);
        if (i >= 0 && map.size() != 0) {
            int i2 = 0;
            int i3 = i == 0 ? 0 : i + 1;
            boolean z = false;
            ArrayList arrayList = new ArrayList();
            Iterator<String> it = map.keySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                if (next.matches(convertToRegex)) {
                    arrayList.add(next);
                    i2++;
                    if (i2 == i3) {
                        arrayList.remove(next);
                        z = true;
                        break;
                    }
                }
            }
            return i2 > 0 ? new SearchResult(arrayList, z) : new SearchResult();
        }
        return new SearchResult();
    }

    public String getUserDisplayName(String str) throws EntryNotFoundException, RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("userSecurityName is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("userSecurityName is an empty String");
        }
        if (isValidUser(str)) {
            return str;
        }
        throw new EntryNotFoundException(str + " does not exist");
    }

    public String getUniqueUserId(String str) throws EntryNotFoundException, RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("userSecurityName is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("userSecurityName is an empty String");
        }
        if (isValidUser(str)) {
            return str;
        }
        throw new EntryNotFoundException(str + " does not exist");
    }

    public String getUserSecurityName(String str) throws EntryNotFoundException, RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("uniqueUserId is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("uniqueUserId is an empty String");
        }
        if (isValidUser(str)) {
            return str;
        }
        throw new EntryNotFoundException(str + " does not exist");
    }

    public boolean isValidGroup(String str) throws RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("groupSecurityName is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("groupSecurityName is an empty String");
        }
        return this.state.groups.containsKey(str);
    }

    public SearchResult getGroups(String str, int i) throws RegistryException {
        return searchMap(this.state.groups, str, i);
    }

    public String getGroupDisplayName(String str) throws EntryNotFoundException, RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("groupSecurityName is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("groupSecurityName is an empty String");
        }
        if (isValidGroup(str)) {
            return str;
        }
        throw new EntryNotFoundException(str + " does not exist");
    }

    public String getUniqueGroupId(String str) throws EntryNotFoundException, RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("groupSecurityName is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("groupSecurityName is an empty String");
        }
        if (isValidGroup(str)) {
            return str;
        }
        throw new EntryNotFoundException(str + " does not exist");
    }

    public String getGroupSecurityName(String str) throws EntryNotFoundException, RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("uniqueGroupId is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("uniqueGroupId is an empty String");
        }
        if (isValidGroup(str)) {
            return str;
        }
        throw new EntryNotFoundException(str + " does not exist");
    }

    public List<String> getUniqueGroupIdsForUser(String str) throws EntryNotFoundException, RegistryException {
        return getGroupsForUser(str);
    }

    public List<String> getGroupsForUser(String str) throws EntryNotFoundException, RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("userSecurityName is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("userSecurityName is an empty String");
        }
        if (!isValidUser(str)) {
            throw new EntryNotFoundException(str + " does not exist");
        }
        ArrayList arrayList = new ArrayList();
        for (String str2 : this.state.groups.keySet()) {
            if (this.state.groups.get(str2).contains(str)) {
                arrayList.add(str2);
            }
        }
        return arrayList;
    }

    public SearchResult getUsersForGroup(String str, int i) throws NotImplementedException, EntryNotFoundException, CustomRegistryException, RemoteException, RegistryException {
        if (str == null) {
            throw new IllegalArgumentException("groupSecurityName is null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("groupSecurityName is an empty String");
        }
        if (i < 0) {
            throw new IllegalArgumentException("limit is less than zero");
        }
        if (!isValidGroup(str)) {
            throw new EntryNotFoundException(str + " does not exist");
        }
        ArrayList arrayList = new ArrayList(this.state.groups.get(str));
        if (i == 0) {
            return new SearchResult(arrayList, Boolean.FALSE.booleanValue());
        }
        Iterator it = arrayList.iterator();
        int i2 = 0;
        ArrayList arrayList2 = new ArrayList();
        while (it.hasNext() && i2 < i) {
            i2++;
            arrayList2.add(it.next());
        }
        return it.hasNext() ? new SearchResult(arrayList2, Boolean.TRUE.booleanValue()) : new SearchResult(arrayList2, Boolean.FALSE.booleanValue());
    }

    public String getType() {
        return TYPE;
    }

    @Reference(cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, target = "(id=unbound)")
    protected void setCertificateMapper(X509CertificateMapper x509CertificateMapper) {
        this.iCertificateMapperRef.set(x509CertificateMapper);
    }

    protected void unsetCertificateMapper(X509CertificateMapper x509CertificateMapper) {
        this.iCertificateMapperRef.compareAndSet(x509CertificateMapper, null);
    }
}
