package com.ibm.ws.security.appbnd.internal.delegation;

import com.ibm.websphere.crypto.PasswordUtil;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.javaee.dd.appbnd.RunAs;
import com.ibm.ws.javaee.dd.appbnd.SecurityRole;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.appbnd.internal.TraceConstants;
import com.ibm.ws.security.authentication.AuthenticationData;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.WSAuthenticationData;
import com.ibm.ws.security.delegation.DelegationProvider;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.util.Collection;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import javax.security.auth.Subject;

@TraceOptions(traceGroups = {"security"}, traceGroup = "", messageBundle = TraceConstants.MESSAGE_BUNDLE, traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.appbnd_1.0.2.jar:com/ibm/ws/security/appbnd/internal/delegation/DefaultDelegationProvider.class */
public class DefaultDelegationProvider implements DelegationProvider {
    private static final TraceComponent tc = Tr.register((Class<?>) DefaultDelegationProvider.class, "security", TraceConstants.MESSAGE_BUNDLE);
    private static final String SYSTEM_WEB_INBOUND = "system.WEB_INBOUND";
    private final HashMap<String, Collection<SecurityRole>> appToSecurityRolesMap = new HashMap<>();
    private final Map<String, Map<String, RunAs>> roleToRunAsMappingPerApp = new HashMap();
    private SecurityService securityService;
    static final long serialVersionUID = 3704633919387066658L;

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public DefaultDelegationProvider() {
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
    }

    @Override // com.ibm.ws.security.delegation.DelegationProvider
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public Subject getRunAsSubject(String str, String str2) throws AuthenticationException {
        Subject subject = null;
        RunAs runAs = getRunAs(str, str2);
        if (isValidRunAs(runAs)) {
            subject = authenticateRunAsUser(runAs);
        }
        return subject;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private RunAs getRunAs(String str, String str2) {
        RunAs runAsFromCache = getRunAsFromCache(str, str2);
        if (runAsFromCache == null) {
            runAsFromCache = getRunAsFromConfig(str, str2);
            addRunAsToCache(str, str2, runAsFromCache);
        }
        return runAsFromCache;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private RunAs getRunAsFromCache(String str, String str2) {
        RunAs runAs = null;
        Map<String, RunAs> map = this.roleToRunAsMappingPerApp.get(str2);
        if (map != null) {
            runAs = map.get(str);
        }
        return runAs;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private RunAs getRunAsFromConfig(String str, String str2) {
        RunAs runAs = null;
        Collection<SecurityRole> collection = this.appToSecurityRolesMap.get(str2);
        if (collection != null) {
            for (SecurityRole securityRole : collection) {
                if (str.equals(securityRole.getName())) {
                    runAs = securityRole.getRunAs();
                }
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "The app " + str2 + " was not found in the map, " + this.appToSecurityRolesMap, new Object[0]);
        }
        if (runAs == null) {
            runAs = new NoRunAs();
        }
        return runAs;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void addRunAsToCache(String str, String str2, RunAs runAs) {
        getRoleToRunAsMap(str2).put(str, runAs);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Map<String, RunAs> getRoleToRunAsMap(String str) {
        Map<String, RunAs> map = this.roleToRunAsMappingPerApp.get(str);
        if (map == null) {
            map = new HashMap();
            this.roleToRunAsMappingPerApp.put(str, map);
        }
        return map;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private boolean isValidRunAs(RunAs runAs) {
        return (runAs == null || runAs.getUserid() == null) ? false : true;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject authenticateRunAsUser(RunAs runAs) throws AuthenticationException {
        String userid = runAs.getUserid();
        String passwordDecode = PasswordUtil.passwordDecode(runAs.getPassword());
        if (passwordDecode == null) {
            return setUpAndAuthenticateTemporarySubject(userid);
        }
        return this.securityService.getAuthenticationService().authenticate(SYSTEM_WEB_INBOUND, createAuthenticationData(userid, passwordDecode), (Subject) null);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject setUpAndAuthenticateTemporarySubject(String str) throws AuthenticationException {
        Subject subject = null;
        Subject createPartialSubject = createPartialSubject(str);
        AuthenticationService authenticationService = this.securityService.getAuthenticationService();
        if (authenticationService != null) {
            subject = authenticationService.authenticate(SYSTEM_WEB_INBOUND, createPartialSubject);
        }
        return subject;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject createPartialSubject(String str) {
        Subject subject = new Subject();
        Hashtable hashtable = new Hashtable();
        hashtable.put(AttributeNameConstants.WSCREDENTIAL_USERID, str);
        hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        subject.getPublicCredentials().add(hashtable);
        return subject;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void createAppToSecurityRolesMapping(String str, Collection<SecurityRole> collection) {
        if (this.appToSecurityRolesMap.get(str) == null) {
            this.appToSecurityRolesMap.put(str, collection);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void removeRoleToRunAsMapping(String str) {
        Map<String, RunAs> map = this.roleToRunAsMappingPerApp.get(str);
        if (map != null) {
            map.clear();
        }
        if (this.appToSecurityRolesMap.get(str) != null) {
            this.appToSecurityRolesMap.remove(str);
        }
    }

    @Trivial
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected AuthenticationData createAuthenticationData(String str, String str2) {
        WSAuthenticationData wSAuthenticationData = new WSAuthenticationData();
        wSAuthenticationData.set(AuthenticationData.USERNAME, str);
        if (str2 != null) {
            wSAuthenticationData.set(AuthenticationData.PASSWORD, str2.toCharArray());
        }
        return wSAuthenticationData;
    }
}
