package com.ibm.ws.security.appbnd.internal.delegation;

import com.ibm.websphere.crypto.PasswordUtil;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.javaee.dd.appbnd.RunAs;
import com.ibm.ws.javaee.dd.appbnd.SecurityRole;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.appbnd.internal.TraceConstants;
import com.ibm.ws.security.authentication.AuthenticationData;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.WSAuthenticationData;
import com.ibm.ws.security.authentication.helper.AuthenticateUserHelper;
import com.ibm.ws.security.authentication.utility.JaasLoginConfigConstants;
import com.ibm.ws.security.delegation.DelegationProvider;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.appbnd_1.0.18.jar:com/ibm/ws/security/appbnd/internal/delegation/DefaultDelegationProvider.class */
public class DefaultDelegationProvider implements DelegationProvider {
    private static final TraceComponent tc = Tr.register((Class<?>) DefaultDelegationProvider.class, "security", TraceConstants.MESSAGE_BUNDLE);
    private SecurityService securityService;
    static final long serialVersionUID = -4692331405144078404L;
    private final ConcurrentHashMap<String, Collection<SecurityRole>> appToSecurityRolesMap = new ConcurrentHashMap<>();
    private final Map<String, Map<String, RunAs>> roleToRunAsMappingPerApp = new HashMap();
    private final Map<String, Map<String, Boolean>> roleToWarningMappingPerApp = new HashMap();
    public String delegationUser = "";

    public void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
    }

    @Override // com.ibm.ws.security.delegation.DelegationProvider
    public Subject getRunAsSubject(String str, String str2) throws AuthenticationException {
        Subject subject = null;
        RunAs runAs = getRunAs(str, str2);
        if (isValidRunAs(runAs)) {
            setDelegationUser(runAs);
            subject = authenticateRunAsUser(runAs);
        } else if (!isWarningAlreadyIssued(str, str2).booleanValue()) {
            Tr.warning(tc, "RUNAS_INVALID_CONFIG", str, str2);
            markWarningAlreadyIssued(str, str2);
        }
        return subject;
    }

    private RunAs getRunAs(String str, String str2) {
        RunAs runAsFromCache = getRunAsFromCache(str, str2);
        if (runAsFromCache == null) {
            runAsFromCache = getRunAsFromConfig(str, str2);
            addRunAsToCache(str, str2, runAsFromCache);
        }
        return runAsFromCache;
    }

    private RunAs getRunAsFromCache(String str, String str2) {
        RunAs runAs = null;
        Map<String, RunAs> map = this.roleToRunAsMappingPerApp.get(str2);
        if (map != null) {
            runAs = map.get(str);
        }
        return runAs;
    }

    private RunAs getRunAsFromConfig(String str, String str2) {
        RunAs runAs = null;
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Using the hashmap: " + this.appToSecurityRolesMap.toString(), new Object[0]);
        }
        Collection<SecurityRole> collection = this.appToSecurityRolesMap.get(str2);
        if (collection != null) {
            for (SecurityRole securityRole : collection) {
                if (str.equals(securityRole.getName())) {
                    runAs = securityRole.getRunAs();
                }
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "The app " + str2 + " was not found in the map, " + this.appToSecurityRolesMap, new Object[0]);
        }
        if (runAs == null) {
            runAs = new NoRunAs();
        }
        return runAs;
    }

    private void addRunAsToCache(String str, String str2, RunAs runAs) {
        getRoleToRunAsMap(str2).put(str, runAs);
    }

    private Map<String, RunAs> getRoleToRunAsMap(String str) {
        Map<String, RunAs> map = this.roleToRunAsMappingPerApp.get(str);
        if (map == null) {
            map = new HashMap();
            this.roleToRunAsMappingPerApp.put(str, map);
        }
        return map;
    }

    public void setDelegationUser(RunAs runAs) {
        this.delegationUser = runAs.getUserid();
    }

    @Override // com.ibm.ws.security.delegation.DelegationProvider
    public String getDelegationUser() {
        return this.delegationUser;
    }

    private Boolean isWarningAlreadyIssued(String str, String str2) {
        Boolean bool = false;
        Map<String, Boolean> map = this.roleToWarningMappingPerApp.get(str2);
        if (map != null) {
            bool = map.get(str);
            if (bool == null) {
                bool = false;
            }
        }
        return bool;
    }

    private void markWarningAlreadyIssued(String str, String str2) {
        getRoleToWarningMap(str2).put(str, true);
    }

    private Map<String, Boolean> getRoleToWarningMap(String str) {
        Map<String, Boolean> map = this.roleToWarningMappingPerApp.get(str);
        if (map == null) {
            map = new HashMap();
            this.roleToWarningMappingPerApp.put(str, map);
        }
        return map;
    }

    private boolean isValidRunAs(RunAs runAs) {
        return (runAs == null || runAs.getUserid() == null) ? false : true;
    }

    private Subject authenticateRunAsUser(RunAs runAs) throws AuthenticationException {
        String userid = runAs.getUserid();
        String passwordDecode = PasswordUtil.passwordDecode(runAs.getPassword());
        if (passwordDecode == null) {
            return new AuthenticateUserHelper().authenticateUser(this.securityService.getAuthenticationService(), userid, JaasLoginConfigConstants.SYSTEM_WEB_INBOUND);
        }
        return this.securityService.getAuthenticationService().authenticate(JaasLoginConfigConstants.SYSTEM_WEB_INBOUND, createAuthenticationData(userid, passwordDecode), (Subject) null);
    }

    public void createAppToSecurityRolesMapping(String str, Collection<SecurityRole> collection) {
        this.appToSecurityRolesMap.putIfAbsent(str, collection);
    }

    public void removeRoleToRunAsMapping(String str) {
        Map<String, RunAs> map = this.roleToRunAsMappingPerApp.get(str);
        if (map != null) {
            map.clear();
        }
        this.appToSecurityRolesMap.remove(str);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Updated the appToSecurityRolesMap: " + this.appToSecurityRolesMap.toString(), new Object[0]);
        }
        removeRoleToWarningMapping(str);
    }

    public void removeRoleToWarningMapping(String str) {
        Map<String, Boolean> map = this.roleToWarningMappingPerApp.get(str);
        if (map != null) {
            map.clear();
        }
        this.roleToWarningMappingPerApp.remove(str);
    }

    @Trivial
    protected AuthenticationData createAuthenticationData(String str, String str2) {
        WSAuthenticationData wSAuthenticationData = new WSAuthenticationData();
        wSAuthenticationData.set(AuthenticationData.USERNAME, str);
        if (str2 != null) {
            wSAuthenticationData.set(AuthenticationData.PASSWORD, str2.toCharArray());
        }
        return wSAuthenticationData;
    }
}
