package com.ibm.ws.security.authorization.builtin;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authorization.AuthorizationTableConfigService;
import com.ibm.ws.security.authorization.AuthorizationTableService;
import com.ibm.ws.security.authorization.RoleSet;
import com.ibm.ws.security.authorization.SecurityRole;
import com.ibm.ws.security.credentials.AccessIdUtil;
import com.ibm.ws.security.registry.EntryNotFoundException;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.UserRegistry;
import com.ibm.ws.security.registry.UserRegistryChangeListener;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.io.IOException;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.osgi.framework.ServiceReference;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.cm.ConfigurationListener;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicy;

@TraceOptions(traceGroups = {"Security.Authorization"}, traceGroup = "", messageBundle = "com.ibm.ws.security.authorization.builtin.internal.resources.AuthorizationMessages", traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.authorization.builtin_1.0.5.jar:com/ibm/ws/security/authorization/builtin/AbstractSecurityAuthorizationTable.class */
public abstract class AbstractSecurityAuthorizationTable implements AuthorizationTableService, UserRegistryChangeListener, AuthorizationTableConfigService, ConfigurationListener {
    private static final TraceComponent tc = Tr.register(AbstractSecurityAuthorizationTable.class);
    public static final String KEY_SECURITY_SERVICE = "securityService";
    public static final String DEFAULT_ROLE_ELEMENT_NAME = "security-role";
    static final String CFG_KEY_ID = "id";
    static final String CFG_KEY_REALM = "realm";
    static final String CFG_KEY_USER = "user";
    static final String CFG_KEY_GROUP = "group";
    static final String CFG_KEY_SPECIAL_SUBJECT = "special-subject";
    static final String CFG_KEY_MEMBER = "member";
    static final String CFG_KEY_NAME = "name";
    static final String CFG_KEY_PASSWORD = "password";
    protected final AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>("securityService");
    protected final Set<String> pids = new HashSet();
    private final Map<String, RoleSet> accessIdToRoles = new HashMap();
    private final Map<String, RoleSet> specialSubjectToRoles = new HashMap();
    private final Map<String, String> userToAccessId = new HashMap();
    private final Map<String, String> groupToAccessId = new HashMap();
    private final Map<String, RoleSet> userToRoles = new HashMap();
    private final Map<String, RoleSet> groupToRoles = new HashMap();
    private final Map<String, Set<String>> explicitAccessIdToRoles = new HashMap();
    protected String roleElementName = getRoleElementName();
    protected boolean populated = false;
    protected Set<SecurityRole> roles = new HashSet();
    static final long serialVersionUID = -8997726978570950246L;

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public AbstractSecurityAuthorizationTable() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public synchronized void activate(ComponentContext componentContext) {
        this.securityServiceRef.activate(componentContext);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public synchronized void deactivate(ComponentContext componentContext) {
        this.securityServiceRef.deactivate(componentContext);
    }

    @Reference(name = "securityService", policy = ReferencePolicy.DYNAMIC, service = SecurityService.class)
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationTableService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public RoleSet getRolesForSpecialSubject(String str, String str2) {
        if (this.populated && getApplicationName().equals(str)) {
            return this.specialSubjectToRoles.get(str2);
        }
        return null;
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationTableService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public RoleSet getRolesForAccessId(String str, String str2) {
        if (this.populated && getApplicationName().equals(str)) {
            return rolesForAccessId(str2);
        }
        return null;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void clearAuthorizationTable() {
        this.accessIdToRoles.clear();
        this.userToAccessId.clear();
        this.groupToAccessId.clear();
        this.userToRoles.clear();
        this.groupToRoles.clear();
        this.specialSubjectToRoles.clear();
        this.explicitAccessIdToRoles.clear();
    }

    /* JADX WARN: Multi-variable type inference failed */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void populate() {
        clearAuthorizationTable();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        Iterator<SecurityRole> roles = getRoles();
        while (roles.hasNext()) {
            SecurityRole next = roles.next();
            String roleName = next.getRoleName();
            for (String str : next.getUsers()) {
                Set set = (Set) hashMap.get(str);
                if (set == null) {
                    set = new HashSet();
                    hashMap.put(str, set);
                }
                set.add(roleName);
            }
            for (String str2 : next.getGroups()) {
                Set set2 = (Set) hashMap2.get(str2);
                if (set2 == null) {
                    set2 = new HashSet();
                    hashMap2.put(str2, set2);
                }
                set2.add(roleName);
            }
            for (String str3 : next.getSpecialSubjects()) {
                Set set3 = (Set) hashMap3.get(str3);
                if (set3 == null) {
                    set3 = new HashSet();
                    hashMap3.put(str3, set3);
                }
                set3.add(roleName);
            }
            for (String str4 : next.getAccessIds()) {
                Set<String> set4 = this.explicitAccessIdToRoles.get(str4);
                if (set4 == null) {
                    set4 = new HashSet();
                    this.explicitAccessIdToRoles.put(str4, set4);
                }
                set4.add(roleName);
            }
        }
        for (Map.Entry entry : hashMap.entrySet()) {
            this.userToRoles.put(entry.getKey(), new RoleSet((Set) entry.getValue()));
        }
        for (Map.Entry entry2 : hashMap2.entrySet()) {
            this.groupToRoles.put(entry2.getKey(), new RoleSet((Set) entry2.getValue()));
        }
        for (Map.Entry entry3 : hashMap3.entrySet()) {
            this.specialSubjectToRoles.put(entry3.getKey(), new RoleSet((Set) entry3.getValue()));
        }
        this.populated = true;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private RoleSet rolesForAccessId(String str) {
        RoleSet roleSet = this.accessIdToRoles.get(str);
        return roleSet == null ? findRolesForAccessId(str) : roleSet;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private RoleSet findRolesForAccessId(String str) {
        if (!AccessIdUtil.isAccessId(str)) {
            throw new IllegalArgumentException("Invalid accessId");
        }
        if (AccessIdUtil.isUserAccessId(str)) {
            for (String str2 : this.userToRoles.keySet()) {
                String str3 = this.userToAccessId.get(str2);
                if (str3 == null) {
                    str3 = getUserAccessId(str2);
                    if (str3 != null) {
                        this.userToAccessId.put(str2, str3);
                    } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unable to determine accessId of user " + str2, new Object[0]);
                    }
                }
                if (this.accessIdToRoles.get(str3) == null) {
                    this.accessIdToRoles.put(str3, new RoleSet(this.userToRoles.get(str2), this.explicitAccessIdToRoles.get(str3)));
                }
                if (str.equals(str3)) {
                    return this.accessIdToRoles.get(str3);
                }
            }
            if (this.explicitAccessIdToRoles.get(str) != null) {
                this.accessIdToRoles.put(str, new RoleSet(this.explicitAccessIdToRoles.get(str)));
                return this.accessIdToRoles.get(str);
            }
        } else {
            if (!AccessIdUtil.isGroupAccessId(str)) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unknown accessId", new Object[0]);
                }
                return RoleSet.EMPTY_ROLESET;
            }
            for (String str4 : this.groupToRoles.keySet()) {
                String str5 = this.groupToAccessId.get(str4);
                if (str5 == null) {
                    str5 = getGroupAccessId(str4);
                    if (str5 != null) {
                        this.groupToAccessId.put(str4, str5);
                    } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unable to determine accessId of group " + str4, new Object[0]);
                    }
                }
                if (this.accessIdToRoles.get(str5) == null) {
                    this.accessIdToRoles.put(str5, new RoleSet(this.groupToRoles.get(str4), this.explicitAccessIdToRoles.get(str5)));
                }
                if (str.equals(str5)) {
                    return this.accessIdToRoles.get(str5);
                }
            }
            if (this.explicitAccessIdToRoles.get(str) != null) {
                this.accessIdToRoles.put(str, new RoleSet(this.explicitAccessIdToRoles.get(str)));
                return this.accessIdToRoles.get(str);
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "No roles mapped to accessId", str);
        }
        return RoleSet.EMPTY_ROLESET;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private String getUserAccessId(String str) {
        String createAccessId;
        try {
            UserRegistry userRegistry = this.securityServiceRef.getService().getUserRegistryService().getUserRegistry();
            createAccessId = AccessIdUtil.createAccessId("user", userRegistry.getRealm(), userRegistry.getUniqueUserId(str));
            return createAccessId;
        } catch (EntryNotFoundException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authorization.builtin.AbstractSecurityAuthorizationTable", "333", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + ((Object) createAccessId), new Object[0]);
            return null;
        } catch (RegistryException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.authorization.builtin.AbstractSecurityAuthorizationTable", "338", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + ((Object) createAccessId), new Object[0]);
            return null;
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private String getGroupAccessId(String str) {
        String createAccessId;
        try {
            UserRegistry userRegistry = this.securityServiceRef.getService().getUserRegistryService().getUserRegistry();
            createAccessId = AccessIdUtil.createAccessId("group", userRegistry.getRealm(), userRegistry.getUniqueGroupId(str));
            return createAccessId;
        } catch (EntryNotFoundException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authorization.builtin.AbstractSecurityAuthorizationTable", "362", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + ((Object) createAccessId), new Object[0]);
            return null;
        } catch (RegistryException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.authorization.builtin.AbstractSecurityAuthorizationTable", "367", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + ((Object) createAccessId), new Object[0]);
            return null;
        }
    }

    @Override // com.ibm.ws.security.registry.UserRegistryChangeListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void notifyOfUserRegistryChange() {
        this.accessIdToRoles.clear();
        this.userToAccessId.clear();
        this.groupToAccessId.clear();
        this.specialSubjectToRoles.clear();
    }

    protected abstract String getApplicationName();

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected String getRoleElementName() {
        return DEFAULT_ROLE_ELEMENT_NAME;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected Iterator<SecurityRole> getRoles() {
        return this.roles.iterator();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r20v0, types: [java.io.IOException] */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void setFeatureRoleConfiguration(String[] strArr, ConfigurationAdmin configurationAdmin) {
        this.roles.clear();
        this.pids.clear();
        HashSet hashSet = new HashSet();
        if (strArr != null) {
            for (String str : strArr) {
                boolean add = this.pids.add(str);
                try {
                    Dictionary<String, Object> properties = configurationAdmin.getConfiguration(str).getProperties();
                    String str2 = (String) properties.get("name");
                    add = tc.isDebugEnabled();
                    if (add) {
                        Tr.debug(tc, "Role name " + str2, new Object[0]);
                    }
                    SecurityRoleImpl securityRoleImpl = new SecurityRoleImpl(configurationAdmin, str2, properties, this.pids);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Adding role", securityRoleImpl);
                    }
                    if (!this.roles.add(securityRoleImpl)) {
                        hashSet.add(str2);
                        Tr.error(tc, "AUTHZ_TABLE_DUPLICATE_ROLE_DEFINITION", securityRoleImpl);
                        this.roles.remove(securityRoleImpl);
                    }
                } catch (IOException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.authorization.builtin.AbstractSecurityAuthorizationTable", "427", this, new Object[]{strArr, configurationAdmin});
                    ?? r20 = add;
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Invalid role definition", str, r20.getMessage());
                    }
                }
            }
        }
        populate();
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationTableConfigService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void setConfiguration(String[] strArr, ConfigurationAdmin configurationAdmin, Map<String, Object> map) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Auth table configuration", map);
        }
        this.pids.clear();
        for (String str : strArr) {
            processRole(str, configurationAdmin, map);
            processRole(str, configurationAdmin, map);
        }
        populate();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v17, types: [boolean] */
    /* JADX WARN: Type inference failed for: r0v18 */
    /* JADX WARN: Type inference failed for: r0v25, types: [org.osgi.service.cm.Configuration] */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void processRole(String str, ConfigurationAdmin configurationAdmin, Map<String, Object> map) {
        HashSet hashSet = new HashSet();
        String[] strArr = (String[]) map.get(str);
        if (strArr == null || strArr.length == 0) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "No roles were defined with element: " + str, new Object[0]);
                return;
            }
            return;
        }
        if (strArr.length > 1 && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Multiple roles were defined with element: " + str + ". Using 1st definition", new Object[0]);
        }
        ?? add = this.pids.add(strArr[0]);
        try {
            add = configurationAdmin.getConfiguration(strArr[0]);
            if (add == 0 || add.getProperties() == null) {
                Tr.error(tc, "AUTHZ_TABLE_INVALID_ROLE_DEFINITION", strArr[0]);
                return;
            }
            SecurityRoleImpl securityRoleImpl = new SecurityRoleImpl(configurationAdmin, str, add.getProperties(), this.pids);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding role", securityRoleImpl);
            }
            if (this.roles.add(securityRoleImpl)) {
                return;
            }
            hashSet.add(str);
            Tr.error(tc, "AUTHZ_TABLE_DUPLICATE_ROLE_DEFINITION", str);
            this.roles.remove(securityRoleImpl);
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authorization.builtin.AbstractSecurityAuthorizationTable", "483", this, new Object[]{str, configurationAdmin, map});
            IOException iOException = add;
            Tr.error(tc, "AUTHZ_TABLE_INVALID_ROLE_DEFINITION", strArr[0]);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Invalid role definition", strArr[0], iOException.getMessage());
            }
        }
    }
}
