package com.ibm.ws.collective.member.internal.security;

import com.ibm.websphere.collective.controller.CollectiveRegistrationMBean;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.collective.member.security.SingletonAuthorizer;
import com.ibm.ws.collective.security.CollectiveServerCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.openjpa.persistence.query.AbstractVisitable;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {SingletonAuthorizer.class}, configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.collective.member_1.1.21.jar:com/ibm/ws/collective/member/internal/security/SingletonAuthorizerImpl.class */
public class SingletonAuthorizerImpl implements SingletonAuthorizer {
    private static final TraceComponent tc = Tr.register(SingletonAuthorizerImpl.class);
    private static final String KEY_COLLECTIVE_REPOSITORY_MBEAN = "CollectiveRegistrationMBean";
    private final AtomicServiceReference<CollectiveRegistrationMBean> isCollectiveController;
    private SubjectManager subjectManager;
    private HostNameResolver resolver;
    static final long serialVersionUID = -4581787392491047796L;

    public SingletonAuthorizerImpl() {
        this(new SubjectManager(), new HostNameResolver());
    }

    SingletonAuthorizerImpl(SubjectManager subjectManager, HostNameResolver hostNameResolver) {
        this.isCollectiveController = new AtomicServiceReference<>(KEY_COLLECTIVE_REPOSITORY_MBEAN);
        this.subjectManager = null;
        this.resolver = null;
        this.subjectManager = subjectManager;
        this.resolver = hostNameResolver;
    }

    @Reference(name = KEY_COLLECTIVE_REPOSITORY_MBEAN, service = CollectiveRegistrationMBean.class, policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL, policyOption = ReferencePolicyOption.GREEDY)
    protected void setCollectiveRepositoryMBean(ServiceReference<CollectiveRegistrationMBean> serviceReference) {
        this.isCollectiveController.setReference(serviceReference);
    }

    protected void unsetCollectiveRepositoryMBean(ServiceReference<CollectiveRegistrationMBean> serviceReference) {
        this.isCollectiveController.unsetReference(serviceReference);
    }

    @Activate
    protected void activate() {
    }

    @Deactivate
    protected void deactivate() {
    }

    @Override // com.ibm.ws.collective.member.security.SingletonAuthorizer
    public void isAuthorized(String str) throws AccessControlException {
        Subject callerSubject = this.subjectManager.getCallerSubject();
        if (callerSubject == null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted.  Caller Subject is null: unauthenticated user, the server itself", new Object[0]);
                return;
            }
            return;
        }
        Set privateCredentials = callerSubject.getPrivateCredentials(CollectiveServerCredential.class);
        CollectiveServerCredential collectiveServerCredential = null;
        if (privateCredentials.iterator().hasNext()) {
            collectiveServerCredential = (CollectiveServerCredential) privateCredentials.iterator().next();
        }
        if (privateCredentials.isEmpty() || collectiveServerCredential == null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted.  Caller Subject is not null, but has no collective server credential: an admin user.", new Object[0]);
                return;
            }
            return;
        }
        boolean isCollectiveController = collectiveServerCredential.isCollectiveController();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Collective member credential: isCollectiveController = " + isCollectiveController, new Object[0]);
        }
        if (isCollectiveController) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted. Caller Subject is not null and has a private credential of a collective controller.", new Object[0]);
                return;
            }
            return;
        }
        if (this.isCollectiveController.getReference() == null) {
            isLocalMember(collectiveServerCredential, str);
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
            Tr.event(tc, "Access granted. Caller Subject is a member calling into a collective controller.", new Object[0]);
        }
    }

    private void isLocalMember(CollectiveServerCredential collectiveServerCredential, String str) throws AccessControlException {
        String hostName = collectiveServerCredential.getHostName();
        if (hostName.trim().equalsIgnoreCase("localhost") || hostName.trim().equals("127.0.0.1")) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted. Caller is a member on localhost", new Object[0]);
                return;
            }
            return;
        }
        try {
            Object doPrivileged = AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.collective.member.internal.security.SingletonAuthorizerImpl.1
                static final long serialVersionUID = -6126524167585079506L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                @Override // java.security.PrivilegedAction
                @FFDCIgnore({UnknownHostException.class})
                public Object run() {
                    try {
                        return InetAddress.getLocalHost().getHostAddress();
                    } catch (UnknownHostException e) {
                        return e;
                    }
                }
            });
            if (doPrivileged instanceof UnknownHostException) {
                throw ((UnknownHostException) doPrivileged);
            }
            String str2 = (String) doPrivileged;
            String hostAddressByName = this.resolver.getHostAddressByName(str2);
            String hostAddressByName2 = this.resolver.getHostAddressByName(hostName);
            if (hostAddressByName.equals(hostAddressByName2)) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                    Tr.event(tc, "Access granted. Caller is a member on the same host as this member:  " + str2, new Object[0]);
                    return;
                }
                return;
            }
            String str3 = "Access is denied. The caller is a member from a different host [" + hostName + AbstractVisitable.OPEN_BRACE + hostAddressByName2 + ")] than this member's host [" + str2 + AbstractVisitable.OPEN_BRACE + hostAddressByName + ")]";
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, str3, new Object[0]);
            }
            AccessControlException accessControlException = new AccessControlException(Tr.formatMessage(tc, "SINGLETON_ACCESS_DENIED", str, hostName, str2));
            accessControlException.fillInStackTrace();
            throw accessControlException;
        } catch (UnknownHostException e) {
            FFDCFilter.processException(e, "com.ibm.ws.collective.member.internal.security.SingletonAuthorizerImpl", "222", this, new Object[]{collectiveServerCredential, str});
            String str4 = "Access is denied. Unable to confirm the members are on the same host due to unresolvable host: " + e.getMessage();
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, str4, new Object[0]);
            }
            AccessControlException accessControlException2 = new AccessControlException(str4);
            accessControlException2.initCause(e);
            accessControlException2.setStackTrace(e.getStackTrace());
            throw accessControlException2;
        }
    }
}
