package com.ibm.ejs.j2c;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.j2c.SecurityHelper;
import com.ibm.ws.jca.adapter.WSManagedConnectionFactory;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.rsadapter.spi.InternalDataStoreHelper;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.security.auth.callback.Constants;
import java.io.IOException;
import java.io.NotSerializableException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;
import javax.resource.ResourceException;
import javax.resource.spi.ConnectionRequestInfo;
import javax.resource.spi.ManagedConnectionFactory;
import javax.resource.spi.security.GenericCredential;
import javax.security.auth.Subject;

/* loaded from: input_file:wlp/lib/com.ibm.ws.jca.cm_1.0.2.jar:com/ibm/ejs/j2c/ThreadIdentitySecurityHelper.class */
public class ThreadIdentitySecurityHelper implements SecurityHelper {
    private static final long serialVersionUID = 71;
    private WSManagedConnectionFactory mcf;
    private final boolean m_ThreadSecurity;
    private String m_ThreadIdentitySupport;
    private final boolean m_GlobalSecurityEnabled = true;
    private static TraceComponent tc = Tr.register((Class<?>) ThreadIdentitySecurityHelper.class, J2CConstants.traceSpec, J2CConstants.messageFile);

    private void writeObject(ObjectOutputStream objectOutputStream) throws IOException {
        throw new NotSerializableException(ThreadIdentitySecurityHelper.class.getName());
    }

    private void readObject(ObjectInputStream objectInputStream) throws IOException {
        throw new NotSerializableException(ThreadIdentitySecurityHelper.class.getName());
    }

    public ThreadIdentitySecurityHelper(WSManagedConnectionFactory wSManagedConnectionFactory) throws ResourceException {
        this.mcf = null;
        this.m_ThreadIdentitySupport = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>", new Object[]{this, wSManagedConnectionFactory});
        }
        this.mcf = wSManagedConnectionFactory;
        this.m_ThreadIdentitySupport = wSManagedConnectionFactory.getThreadIdentitySupport();
        this.m_ThreadSecurity = wSManagedConnectionFactory.getThreadSecurity();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "<init>");
        }
    }

    @Override // com.ibm.ws.j2c.SecurityHelper
    public void afterGettingConnection(Subject subject, ConnectionRequestInfo connectionRequestInfo, final Object obj) throws ResourceException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "afterGettingConnection", new Object[]{this, getSubjectString(subject), connectionRequestInfo, obj});
        }
        if (obj != null) {
            if (System.getSecurityManager() != null) {
                try {
                    AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            ThreadIdentityManager.reset(obj);
                            return null;
                        }
                    });
                } catch (IllegalStateException e) {
                    FFDCFilter.processException(e, "com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.afterGettingConnection", "38", this);
                    Tr.error(tc, "ILLEGAL_STATE_EXCEPTION_J2CA0079", new Object[]{"ThreadIdentitySecurityHelper.afterGettingConnection()", e});
                    ResourceException resourceException = new ResourceException("ThreadIdentitySecurityHelper.afterGettingConnection() failed attempting to restore user identity to the OS Thread");
                    resourceException.initCause(e);
                    throw resourceException;
                } catch (PrivilegedActionException e2) {
                    FFDCFilter.processException(e2, "com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.afterGettingConnection", "37", this);
                    Tr.error(tc, "FAILED_DOPRIVILEGED_J2CA0060", e2);
                    Exception exception = e2.getException();
                    ResourceException resourceException2 = new ResourceException("ThreadIdentitySecurityHelper.afterGettingConnection() failed attempting to restore user identity to the OS Thread");
                    resourceException2.initCause(exception);
                    throw resourceException2;
                }
            } else {
                ThreadIdentityManager.reset(obj);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "afterGettingConnection() restored OS thread identity");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "afterGettingConnection");
        }
    }

    @Override // com.ibm.ws.j2c.SecurityHelper
    public Object beforeGettingConnection(Subject subject, ConnectionRequestInfo connectionRequestInfo) throws ResourceException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "beforeGettingConnection", new Object[]{this, getSubjectString(subject), connectionRequestInfo});
        }
        Object obj = null;
        if (ThreadIdentityManager.isThreadIdentityEnabled()) {
            if (this.m_ThreadIdentitySupport.equals(InternalDataStoreHelper.THREAD_IDENTITY_SUPPORT_ALLOWED) || this.m_ThreadIdentitySupport.equals(InternalDataStoreHelper.THREAD_IDENTITY_SUPPORT_REQUIRED)) {
                if (subject != null) {
                    if (!doesSubjectContainUTOKEN(subject)) {
                        checkForUTOKENNotFoundError(subject);
                    } else if (this.m_ThreadSecurity) {
                        if (ThreadIdentityManager.isJ2CThreadIdentityEnabled()) {
                            obj = setJ2CThreadIdentity(subject);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "beforeGettingConnection() pushed the user identity associated with the thread to the OS Thread:  ", new Object[]{getSubjectString(subject)});
                            }
                        } else {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "beforeGettingConnection() could not push user identity associated with the thread to the OS Thread  because server was not enabled for SyncToThread.");
                            }
                            if (ThreadIdentityManager.isAppThreadIdentityEnabled()) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "beforeGettingConnection() pushing server identity to the OS Thread because Application SyncToThread is enabled.");
                                }
                                obj = ThreadIdentityManager.runAsServer();
                            }
                        }
                    }
                } else if (this.m_ThreadSecurity && ThreadIdentityManager.isThreadIdentityEnabled()) {
                    obj = ThreadIdentityManager.runAsServer();
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "beforeGettingConnection() processing skipped. Security not enabled.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "beforeGettingConnection", new Object[]{obj});
        }
        return obj;
    }

    @Override // com.ibm.ws.j2c.SecurityHelper
    public void finalizeCriForRRA(Subject subject, ConnectionRequestInfo connectionRequestInfo, ManagedConnectionFactory managedConnectionFactory) throws ResourceException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "finalizeCriForRRA");
        }
        if (subject != null) {
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "finalizeCriForRRA");
        }
    }

    @Override // com.ibm.ws.j2c.SecurityHelper
    public Subject finalizeSubject(Subject subject, ConnectionRequestInfo connectionRequestInfo, CMConfigData cMConfigData) throws ResourceException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "finalizeSubject", new Object[]{this, getSubjectString(subject), connectionRequestInfo});
        }
        Subject subject2 = subject;
        if (cMConfigData.getAuth() == 0) {
            if (this.m_ThreadIdentitySupport.equals(InternalDataStoreHelper.THREAD_IDENTITY_SUPPORT_ALLOWED)) {
                String aliasToFinalize = getAliasToFinalize(cMConfigData);
                if (aliasToFinalize == null || aliasToFinalize.equals("")) {
                    subject2 = getJ2CInvocationSubject();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "finalizeSubject(): No user identity was specifed. User identity has been defaulted to current thread identity");
                    }
                }
            } else if (this.m_ThreadIdentitySupport.equals(InternalDataStoreHelper.THREAD_IDENTITY_SUPPORT_REQUIRED)) {
                subject2 = getJ2CInvocationSubject();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "finalizeSubject(): Connector REQUIRED specified user identity to be overridden by the current thread identity");
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "finalizeSubject", new Object[]{getSubjectString(subject2)});
        }
        return subject2;
    }

    private String getSubjectString(final Subject subject) {
        String str = null;
        if (subject != null) {
            if (System.getSecurityManager() != null) {
                try {
                    str = (String) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.2
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            return subject.toString();
                        }
                    });
                } catch (PrivilegedActionException e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception received in getSubjectString:", e);
                    }
                    str = "Subject cannot be traced due to a PrivilegedActionException";
                }
            } else {
                str = subject.toString();
            }
        }
        return str;
    }

    private String getAliasToFinalize(CMConfigData cMConfigData) {
        HashMap<String, String> loginConfigProperties;
        String str = null;
        if (cMConfigData == null) {
            return null;
        }
        String loginConfigurationName = cMConfigData.getLoginConfigurationName();
        if (loginConfigurationName != null && !loginConfigurationName.equals("") && loginConfigurationName.equals(ConnectionFactoryRefBuilder.DEFAULT_MAPPING_MODULE_mappingConfigAlias) && (loginConfigProperties = cMConfigData.getLoginConfigProperties()) != null && !loginConfigProperties.isEmpty()) {
            str = loginConfigProperties.get(Constants.MAPPING_ALIAS);
        }
        if (str == null) {
            str = cMConfigData.getContainerAlias();
        }
        return str;
    }

    private Subject getJ2CInvocationSubject() throws ResourceException {
        Subject subject;
        if (System.getSecurityManager() != null) {
            try {
                subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.3
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return ThreadIdentityManager.getJ2CInvocationSubject();
                    }
                });
            } catch (IllegalStateException e) {
                FFDCFilter.processException(e, "com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.finalizeSubject", "826", this);
                Tr.error(tc, "ILLEGAL_STATE_EXCEPTION_J2CA0079", new Object[]{"ThreadIdentitySecurityHelper.finalizeSubject()", e});
                ResourceException resourceException = new ResourceException("ThreadIdentitySecurityHelper.finalizeSubject() failed attempting to get local OS invocation subject");
                resourceException.initCause(e);
                throw resourceException;
            } catch (PrivilegedActionException e2) {
                FFDCFilter.processException(e2, "com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.finalizeSubject", "826", this);
                Tr.error(tc, "FAILED_DOPRIVILEGED_J2CA0060", e2);
                Exception exception = e2.getException();
                ResourceException resourceException2 = new ResourceException("ThreadIdentitySecurityHelper.finalizeSubject() failed attempting to get local OS invocation subject");
                resourceException2.initCause(exception);
                throw resourceException2;
            }
        } else {
            subject = ThreadIdentityManager.getJ2CInvocationSubject();
        }
        return subject;
    }

    private boolean doesSubjectContainUTOKEN(Subject subject) throws ResourceException {
        GenericCredential genericCredential;
        final Iterator it = getPrivateGenericCredentials(subject).iterator();
        boolean z = false;
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (System.getSecurityManager() != null) {
                try {
                    genericCredential = (GenericCredential) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.4
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            return it.next();
                        }
                    });
                } catch (PrivilegedActionException e) {
                    FFDCFilter.processException(e, "com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.beforeGettingConnection", "19", this);
                    Tr.error(tc, "FAILED_DOPRIVILEGED_J2CA0060", e);
                    Exception exception = e.getException();
                    ResourceException resourceException = new ResourceException("ThreadIdentitySecurityHelper.beforeGettingConnection() failed attempting to access Subject's credentials");
                    resourceException.initCause(exception);
                    throw resourceException;
                }
            } else {
                genericCredential = (GenericCredential) it.next();
            }
            if (genericCredential.getMechType().equals("oid:1.3.18.0.2.30.1")) {
                z = true;
                break;
            }
        }
        return z;
    }

    private Set getPrivateGenericCredentials(final Subject subject) throws ResourceException {
        Set set;
        if (System.getSecurityManager() != null) {
            try {
                set = (Set) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.5
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return subject.getPrivateCredentials(GenericCredential.class);
                    }
                });
            } catch (PrivilegedActionException e) {
                FFDCFilter.processException(e, "com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.beforeGettingConnection", "18", this);
                Tr.error(tc, "FAILED_DOPRIVILEGED_J2CA0060", e);
                Exception exception = e.getException();
                ResourceException resourceException = new ResourceException("ThreadIdentitySecurityHelper failed attempting to access Subject's credentials");
                resourceException.initCause(exception);
                throw resourceException;
            }
        } else {
            set = subject.getPrivateCredentials(GenericCredential.class);
        }
        return set;
    }

    private Object setJ2CThreadIdentity(final Subject subject) throws ResourceException {
        Object doPrivileged;
        if (System.getSecurityManager() != null) {
            try {
                doPrivileged = AccessController.doPrivileged((PrivilegedExceptionAction<Object>) new PrivilegedExceptionAction() { // from class: com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.6
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return ThreadIdentityManager.setJ2CThreadIdentity(subject);
                    }
                });
            } catch (IllegalStateException e) {
                FFDCFilter.processException(e, "com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.beforeGettingConnection", "20", this);
                Tr.error(tc, "ILLEGAL_STATE_EXCEPTION_J2CA0079", new Object[]{"ThreadIdentitySecurityHelper.beforeGettingConnection()", e});
                ResourceException resourceException = new ResourceException("ThreadIdentitySecurityHelper.beforeGettingConnection() failed attempting to push the current user identity to the OS Thread");
                resourceException.initCause(e);
                throw resourceException;
            } catch (PrivilegedActionException e2) {
                FFDCFilter.processException(e2, "com.ibm.ejs.j2c.ThreadIdentitySecurityHelper.beforeGettingConnection", "11", this);
                Tr.error(tc, "FAILED_DOPRIVILEGED_J2CA0060", e2);
                Exception exception = e2.getException();
                ResourceException resourceException2 = new ResourceException("ThreadIdentitySecurityHelper.beforeGettingConnection() failed attempting to push the current user identity to the OS Thread");
                resourceException2.initCause(exception);
                throw resourceException2;
            }
        } else {
            doPrivileged = ThreadIdentityManager.setJ2CThreadIdentity(subject);
        }
        return doPrivileged;
    }

    private void checkForUTOKENNotFoundError(Subject subject) throws ResourceException {
        if (this.m_ThreadIdentitySupport.equals(InternalDataStoreHelper.THREAD_IDENTITY_SUPPORT_REQUIRED)) {
            try {
                IllegalStateException illegalStateException = new IllegalStateException("ThreadIdentitySecurityHelper.beforeGettingConnection() detected Subject not setup for using thread identity, but the connector requires thread identity be used.");
                Tr.error(tc, "ILLEGAL_STATE_EXCEPTION_J2CA0079", new Object[]{"ThreadIdentitySecurityHelper.beforeGettingConnection()", illegalStateException});
                throw illegalStateException;
            } catch (IllegalStateException e) {
                ResourceException resourceException = new ResourceException("ThreadIdentitySecurityHelper.beforeGettingConnection() detected Subject with illegal state");
                resourceException.initCause(e);
                throw resourceException;
            }
        }
        if (subject.getPrivateCredentials().iterator().hasNext()) {
            return;
        }
        try {
            IllegalStateException illegalStateException2 = new IllegalStateException("ThreadIdentitySecurityHelper.beforeGettingConnection() detected Subject with no credentials.");
            Tr.error(tc, "ILLEGAL_STATE_EXCEPTION_J2CA0079", new Object[]{"ThreadIdentitySecurityHelper.beforeGettingConnection()", illegalStateException2});
            throw illegalStateException2;
        } catch (IllegalStateException e2) {
            ResourceException resourceException2 = new ResourceException("ThreadIdentitySecurityHelper.beforeGettingConnection() detected Subject with illegal state");
            resourceException2.initCause(e2);
            throw resourceException2;
        }
    }
}
